Skip to content

[BUG] Inefficient Regex #3659

New issue
New issue
Closed
Closed
[BUG] Inefficient Regex#3659
Labels
Needs TriageIssues that need to be evaluated for severity and status.bug
@SCH227

Description

@SCH227
SCH227
opened on Nov 2, 2022

setuptools version

setuptools==65.5.0

Python version

Python 3.10

OS

Kali Linux

Additional environment information

The reported bug should be independent from env

Description

This regex pattern is inefficient.
As described through PSRT channel, it may end in a DoS if an user is fetching malicious HTML from a package in PyPI or custom PackageIndex page.

Expected behavior

Regex matches/not without hanging.
The following regex seems to be performing ok:
<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>

How to Reproduce

Described through PSRT channel

Output

[ hangs forever ]

Activity

SCH227
added
bug
Needs TriageIssues that need to be evaluated for severity and status.
on Nov 2, 2022
jaraco
added a commit that references this issue on Nov 4, 2022

Add test capturing failed expectation. Ref #3659.

5791343
jaraco
closed this as completedin 43a9c9bon Nov 4, 2022
jaraco
added a commit that references this issue on Nov 4, 2022

Update changelog. Ref #3659.

58e23de
domdfcoding

domdfcoding commented on Nov 15, 2022

@domdfcoding
domdfcoding
on Nov 15, 2022
Contributor

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

jsf9k
added a commit that references this issue on Nov 15, 2022

Add a lower bound for the version of setuptools

51fa6d7
jsf9k
mentioned this on Nov 15, 2022
jsf9k
added a commit that references this issue on Nov 15, 2022

Add a lower bound for the version of setuptools

c149b76
Doondondon

Doondondon commented on Apr 7, 2023

@Doondondon
Doondondon
on Apr 7, 2023 · Hidden as off-topic
jaraco

jaraco commented on Apr 7, 2023

@jaraco
jaraco
on Apr 7, 2023
Member

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

I could in theory be triggered using pip if:

  • pip builds a package from source
  • that package is built with setuptools
  • that package has build-time dependencies (setup_requires) that aren't already satisfied in the environment or by pip (either because build-requires isn't declared or the invocation has bypassed the pep 518 behavior to install them).
faust64
mentioned this on Apr 19, 2023
rickprice
mentioned this on May 3, 2023
raulgd99
mentioned this in 2 pull requests on Sep 28, 2023

7 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs TriageIssues that need to be evaluated for severity and status.bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @jaraco@domdfcoding@SCH227@Doondondon

        Issue actions
          [BUG] Inefficient Regex · Issue #3659 · pypa/setuptools