-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable Regular Expression in utils.py #3811
Comments
@yetingli thanks for the report. |
Pierre-Sassoulas
pushed a commit
to Pierre-Sassoulas/pylint
that referenced
this issue
Sep 9, 2020
yetingli
pushed a commit
to yetingli/pylint
that referenced
this issue
Sep 10, 2020
The ambiguity of vulnerable regex is eliminated, so that when the fixed regex matches a string, there is only a unique path to match, thereby ensuring that the fixed regex is safer and faster to match. This related issue addresses pylint-dev#3811
Pierre-Sassoulas
pushed a commit
to Pierre-Sassoulas/pylint
that referenced
this issue
Sep 10, 2020
Pierre-Sassoulas
pushed a commit
to Pierre-Sassoulas/pylint
that referenced
this issue
Sep 10, 2020
Pierre-Sassoulas
pushed a commit
to Pierre-Sassoulas/pylint
that referenced
this issue
Sep 10, 2020
Pierre-Sassoulas
pushed a commit
that referenced
this issue
Sep 10, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Type of Issue
Potential Regex Denial of Service (ReDoS)
Description
The vulnerable regular expressions are located in
https://github.com/PyCQA/pylint/blob/2261844748be0f881719963d2fb5932dd4e4a2e2/pylint/pyreverse/utils.py#L54
https://github.com/PyCQA/pylint/blob/2261844748be0f881719963d2fb5932dd4e4a2e2/pylint/pyreverse/utils.py#L55
The ReDOS vulnerabilities of the regex are mainly due to the sub-pattern [^\W_]+\w* and can be exploited with the following string
"__"+"1"*5000 + "!"
I think you can limit the input length or modify these regexes.
The text was updated successfully, but these errors were encountered: