Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Regular Expression in inventory #8175

Closed
yetingli opened this issue Sep 5, 2020 · 5 comments
Closed

Vulnerable Regular Expression in inventory #8175

yetingli opened this issue Sep 5, 2020 · 5 comments
Labels
extensions:intersphinx type:bug
Milestone
3.3.0

Comments

@yetingli
Copy link

yetingli commented Sep 5, 2020

Type of Issue
Potential Regex Denial of Service (ReDoS)

Description
The vulnerable regular expression is located in

sphinx/sphinx/util/inventory.py

Line 125 in 31f26a0

m = re.match(r'(?x)(.+?)\s+(\S*:\S*)\s+(-?\d+)\s+?(\S*)\s+(.*)',

The ReDOS vulnerability of the regex is mainly due to the sub-patterns (\S*:\S*) and can be exploited with the following string
" " + ":" * 5000

I think you can limit the input length or modify this regex.
@tk0miya tk0miya added this to the 3.3.0 milestone Sep 20, 2020
tk0miya added a commit to tk0miya/sphinx that referenced this issue Sep 20, 2020
@tk0miya
Fix sphinx-doc#8175: intersphinx: Potential of regex denial of servic…
4383819 
…e by inventory
@tk0miya tk0miya mentioned this issue Sep 20, 2020
Merged
@tk0miya
Copy link
Member

tk0miya commented Sep 20, 2020

Thank you for reporting.
I posted #8225 to fix this. Please check it if you have time.

@yetingli
Copy link
Author

Hi @tk0miya ,
Thank you for your reply. But sorry I did not find your fix. Maybe I would suggest you can use ([^\s:]*:[^\s:]*) OR ([^\s:]*:\S*) instead of the sub-pattern (\S*:\S*)

@tk0miya
Copy link
Member

tk0miya commented Sep 27, 2020

Oops... I pushed the correct fix to the GitHub. Could you check it again, please?

@yetingli
Copy link
Author

The pattern modification looks good to me.

@tk0miya
Copy link
Member

tk0miya commented Sep 28, 2020

Thank you for your confirmation!

tk0miya added a commit that referenced this issue Sep 28, 2020
@tk0miya
Merge pull request #8225 from tk0miya/8175_intersphinx_redos
d8c006f 
Fix #8175: intersphinx: Potential of regex denial of service by inventory
@bskinn bskinn mentioned this issue Feb 7, 2021
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
extensions:intersphinx type:bug
Projects
None yet
Milestone
3.3.0
Development

No branches or pull requests
2 participants
@tk0miya @yetingli