Merge pull request #363 from python/bugfix/361-regexp-perf

Address potential performance weakness in EntryPoint.pattern.
python · Jan 17, 2022 · 67cd67f · 67cd67f
2 parents 9491ef9 + 5516095
commit 67cd67f
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,3 +1,8 @@
+v4.10.1
+=======
+
+* #361: Avoid potential REDoS in ``EntryPoint.pattern``.
+
 v4.10.0
 =======
 

diff --git a/exercises.py b/exercises.py
@@ -34,3 +34,12 @@ def uncached_distribution_perf():
     # end warmup
     importlib.invalidate_caches()
     importlib_metadata.distribution('ipython')
+
+
+def entrypoint_regexp_perf():
+    import importlib_metadata
+    import re
+
+    input = '0' + ' ' * 2 ** 10 + '0'  # end warmup
+
+    re.match(importlib_metadata.EntryPoint.pattern, input)
diff --git a/importlib_metadata/__init__.py b/importlib_metadata/__init__.py
@@ -161,8 +161,8 @@ class EntryPoint(DeprecatedTuple):
 
     pattern = re.compile(
         r'(?P<module>[\w.]+)\s*'
-        r'(:\s*(?P<attr>[\w.]+))?\s*'
-        r'(?P<extras>\[.*\])?\s*$'
+        r'(:\s*(?P<attr>[\w.]+)\s*)?'
+        r'((?P<extras>\[.*\])\s*)?$'
     )
     """
     A regular expression describing the syntax for an entry point,