Coordinated Disclosure Timeline
- 2021-08-31: Created an issue asking for contact details.
- 2021-09-06: Draft advisory opened: GHSA-mv7q-fmfm-764m
- 2021-10-15: Added a comment to the draft advisory with my suggested fix.
- 2021-10-15: Fixed in commit
25852a9.
Summary
pydal contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
pydal
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
python3:
import re
reg = re.compile("[^']*('[^']*'[^']*)*\:(?P<clob>(C|B)LOB\('([^']+|'')*'\))")
# Doesn't terminate
reg.match("foo:CLOB('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)")
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-116 in any communication regarding this issue.