potential DOS risk with pydantic - fix pending #1477
Comments
|
To wait for potential upstream fixes to this issue, these releases have been delayed. I'll comment here as soon as I know when a fix can be released for pydantic. |
|
Is this issue still necessary? |
|
The python security team have not yet fixed the the upstream error (I don't really understand why) but have ask packages not to mitigate the problem in libraries to avoid making it public. The whole situation is frustrating. |
|
Hi Samuel, is the underlying vulnerability still present in the upstream such that the DOS risk survives in the current version of the library? If not, what version was the issue resolved in? Thank you. Also, I believe we are well into responsible disclosure territory with respect to the upstream, given the time period that has elapsed. |
|
Quick update on this since a few people have asked about it. This an issue in cpython, it's not specific to pydantic. All versions of python are effected. The python security list were informed about it back in 2020 but after a flurry of initial emails, progress on a fix stopped as far as I'm aware. After @mruser's comment 2 weeks ago, I followed up with a few individuals involved and tried to press for a proper fix. The last update was 2 days ago, that the issue was being discussed between some core devs. and the SC. In short, while I'm disappointed this hasn't fixed sooner, I'm hopeful it will be fixed soon. I was asked not to fix it in pydantic to avoid making the vulnerability public, I'll stick to that for another few months in the hope of an upstream fix. |
|
Is the vulnerability somehow connected to the well known issues with NaN implementation? If so, the issue should be closed, in my opinion. |
|
No |
|
Is this issue effecting all versions of Pydantic, on version 1.4 and beyond, or only on 1.4 and 1.5.1? |
|
This has now been made public and it seems a fix will be out soon. If you're parsing, JSON the simplest solution is to use ujson which doesn't suffer from this problem. I'll see if I can get a fix it which limits input to ints soon. |
* prevent long strings as int inputs, fix #1477 * fix tests 🤦 * fix length in change file
I have been made aware of a potential DOS attack risk in pydantic.
The fix I believe is relatively trivial, I will release:
v1.5.2based of the currentv1.5.1tagv1.4.1based of the currentv1.4tagThese releases will be made just after 1pm UTC on 2020/5/11, that's next Monday.
If you require a fix to any other version, please let me know on this issue.
The text was updated successfully, but these errors were encountered: