Skip to content

Commit

Permalink
The py library through 1.11.0 for Python allows remote attackers to c…
Browse files Browse the repository at this point in the history 
…onduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See pytest-dev/py#287 (comment) for additional context.
  • Loading branch information
@pdodds
pdodds committed Jan 13, 2023
1 parent 6c973f5 commit c0ee625
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 31 deletions.
51 changes: 21 additions & 30 deletions poetry.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pyproject.toml
View file
Expand Up @@ -38,7 +38,7 @@ pydantic-yaml = ">=0.8.0,<0.9.0"

[tool.poetry.group.dev.dependencies]
mkdocs-material = "^9.0.3"
pytest = "7.1.2"
pytest = "7.2.0"
pytest-runner = "6.0.0"
mypy = "^0.991"
flake8 = "^6.0.0"
Expand Down

0 comments on commit c0ee625

Please sign in to comment.