Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Regular Expression Denial of Service vulnerability #12280

Merged
merged 12 commits into from
Apr 21, 2023
Merged

Address Regular Expression Denial of Service vulnerability #12280

merged 12 commits into from
Apr 21, 2023

Conversation

vcidst
Copy link
Contributor

@vcidst vcidst commented Apr 17, 2023
edited
Loading

Proposed changes:

  • Make changes to address the Catastrophic Backtracking security vulnerability by Synk. Regex processing time is linearly dependent on the length of the string, this attack makes use of arbitrary long strings to cause Denial of Service.

Status (please check what you already did):

  • added some tests for the functionality
  • updated the documentation
  • updated the changelog (please check changelog for instructions)
  • reformat files using black (please check Readme for instructions)

@vcidst vcidst requested a review from a team as a code owner April 17, 2023 10:30
@vcidst vcidst changed the title Address ReDoS Address Regular Expression Denial of Service vulnerability Apr 17, 2023
@vcidst vcidst requested review from a team, Urkem and radovanZRasa and removed request for a team April 17, 2023 10:33
radovanZRasa
radovanZRasa reviewed Apr 18, 2023
View reviewed changes
rasa/core/channels/slack.py Outdated
@@ -268,21 +268,23 @@ def _sanitize_user_message(
uids_to_remove = uids_to_remove or []

for uid_to_remove in uids_to_remove:
escaped_uid = re.escape(uid_to_remove)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add unit test which will check if re.escape is called.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a test to check for this

ancalita
ancalita reviewed Apr 18, 2023
View reviewed changes
Copy link
Member

@ancalita ancalita left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failing slack unit test also must be investigated how it's connected to the made changes, I doubt it's flaky.

changelog/12280.bugfix.md Outdated Show resolved Hide resolved
rasa/core/channels/slack.py Outdated Show resolved Hide resolved
@vcidst vcidst requested a review from ancalita April 21, 2023 08:54
@github-actions
Copy link
Contributor

🚀 A preview of the docs have been deployed at the following URL: https://12280--rasahq-docs-rasa-v2.netlify.app/docs/rasa

ancalita
ancalita approved these changes Apr 21, 2023
View reviewed changes
Copy link
Member

@ancalita ancalita left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

@vcidst vcidst enabled auto-merge April 21, 2023 09:34
@vcidst vcidst merged commit 319811f into 3.5.x Apr 21, 2023
113 checks passed
@vcidst vcidst deleted the ATO-877-Snyk-report-Regular-Expression-Denial-of-Service-on-Slack-connector branch April 21, 2023 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radovanZRasa radovanZRasa radovanZRasa left review comments

@ancalita ancalita ancalita approved these changes

@Urkem Urkem Awaiting requested review from Urkem Urkem was automatically assigned from RasaHQ/atom-squad

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vcidst @ancalita @radovanZRasa