Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inefficient regular expression complexity in EntryPoint.pattern #361

Closed
jaraco opened this issue Jan 11, 2022 · 2 comments
Closed

Inefficient regular expression complexity in EntryPoint.pattern #361

jaraco opened this issue Jan 11, 2022 · 2 comments

Comments

@jaraco
Copy link
Member

jaraco commented Jan 11, 2022

Originally reported to the Python Security Response Team, the EntryPoint.pattern demonstrates a potential ReDoS.
@jaraco
Copy link
Member Author

jaraco commented Jan 11, 2022

Tim Peters had this suggested fix:

       pattern = re.compile(
            r'(?P<module>[\w.]+)\s*'
            r'(:\s*(?P<attr>[\w.]+)\s*)?'
            r'((?P<extras>\[.*\])\s*)?$'
       )

jaraco added a commit that referenced this issue Jan 17, 2022
@jaraco
Add test capturing undesirable performance. Ref #361.
2a20d2a
jaraco added a commit that referenced this issue Jan 17, 2022
@jaraco
Refactor regular expression to avoid expensive backtracking on contri…
62db79e 
…ved entry points.

Fixes #361.

Credit to Tim Peters.

Reduces cost from almost 2 seconds to ~100 µs on my workstation as reported by entrypoint_regexp_perf.
@jaraco jaraco mentioned this issue Jan 17, 2022
Merged
jaraco added a commit that referenced this issue Jan 17, 2022
@jaraco
Add test capturing undesirable performance. Ref #361.
4dbecdb
@jaraco jaraco closed this as completed in aa4f879 Jan 17, 2022
jaraco added a commit that referenced this issue Jan 23, 2022
@jaraco
Refactor regular expression to avoid expensive backtracking on contri…
cf7fef7 
…ved entry points.

Fixes #361.

Credit to Tim Peters.

Reduces cost from almost 2 seconds to ~100 µs on my workstation as reported by entrypoint_regexp_perf.
@jaraco
Copy link
Member Author

jaraco commented Jan 23, 2022
edited

Released with v4.10.1 and v2.1.3 (supporting Python 2.7) (manually released due to pytest-dev/pyfakefs#659).

halstead pushed a commit to openembedded/openembedded-core that referenced this issue Jan 25, 2022
@moto-timo @rpurdie
python3-importlib-metadata: upgrade 4.10.0 -> 4.10.1
60b478e 
v4.10.1
* 361: Avoid potential REDoS in EntryPoint.pattern.

References:
python/importlib_metadata#361

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
splitice pushed a commit to HalleyAssist/poky that referenced this issue Jan 25, 2022
@moto-timo @rpurdie
python3-importlib-metadata: upgrade 4.10.0 -> 4.10.1
15f9d2a 
v4.10.1
* 361: Avoid potential REDoS in EntryPoint.pattern.

References:
python/importlib_metadata#361

(From OE-Core rev: 60b478ef8990967e306243f6066d9ae261bbc3b9)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
splitice pushed a commit to HalleyAssist/poky that referenced this issue Jan 25, 2022
@moto-timo @rpurdie
python3-importlib-metadata: upgrade 4.10.0 -> 4.10.1
fa5f18e 
v4.10.1
* 361: Avoid potential REDoS in EntryPoint.pattern.

References:
python/importlib_metadata#361

(From OE-Core rev: 60b478ef8990967e306243f6066d9ae261bbc3b9)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Jan 26, 2022
@moto-timo @rpurdie
python3-importlib-metadata: upgrade 4.10.0 -> 4.10.1
d7a7e6d 
v4.10.1
* 361: Avoid potential REDoS in EntryPoint.pattern.

References:
python/importlib_metadata#361

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
splitice pushed a commit to HalleyAssist/poky that referenced this issue Jan 26, 2022
@moto-timo @rpurdie
python3-importlib-metadata: upgrade 4.10.0 -> 4.10.1
5a47f57 
v4.10.1
* 361: Avoid potential REDoS in EntryPoint.pattern.

References:
python/importlib_metadata#361

(From OE-Core rev: d7a7e6d640a5b0819be4478aeb0f42d4a4981c89)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
@jk464 jk464 mentioned this issue Nov 6, 2023
Closed
@arm4b arm4b mentioned this issue Nov 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jaraco