Skip to content

Commit

Permalink
Fix ReDos attack in #117 (#118)
Browse files Browse the repository at this point in the history
* Fix ReDos attack in #117

* Make timing more explicit

* fix test

* Fix test
  • Loading branch information
jnothman committed Feb 25, 2021
1 parent dadf688 commit 15885a6
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
3 changes: 1 addition & 2 deletions arff.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,6 @@

_RE_RELATION = re.compile(r'^([^\{\}%,\s]*|\".*\"|\'.*\')$', re.UNICODE)
_RE_ATTRIBUTE = re.compile(r'^(\".*\"|\'.*\'|[^\{\}%,\s]*)\s+(.+)$', re.UNICODE)
_RE_TYPE_NOMINAL = re.compile(r'^\{\s*((\".*\"|\'.*\'|\S*)\s*,\s*)*(\".*\"|\'.*\'|\S*)\s*\}$', re.UNICODE)
_RE_QUOTE_CHARS = re.compile(r'["\'\\\s%,\000-\031]', re.UNICODE)
_RE_ESCAPE_CHARS = re.compile(r'(?=["\'\\%])|[\n\r\t\000-\031]')
_RE_SPARSE_LINE = re.compile(r'^\s*\{.*\}\s*$', re.UNICODE)
Expand Down Expand Up @@ -736,7 +735,7 @@ def _decode_attribute(self, s):
name = str(name.strip('"\''))

# Extracts the final type
if _RE_TYPE_NOMINAL.match(type_):
if type_[:1] == "{" and type_[-1:] == "}":
try:
type_ = _parse_values(type_.strip('{} '))
except Exception:
Expand Down
7 changes: 7 additions & 0 deletions tests/test_decode_attribute_types.py
Original file line number Diff line number Diff line change
Expand Up @@ -144,3 +144,10 @@ def test_invalid_type(self):
fixture
)

# Check non-regression of ReDos raised in https://github.com/renatopp/liac-arff/issues/117
fixture = u"@attribute width {',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',',"
self.assertRaises(
arff.BadAttributeType,
decoder._decode_attribute,
fixture
)

0 comments on commit 15885a6

Please sign in to comment.