Doyensec Vulnerability Advisory
- Regular Expression Denial of Service (REDoS) in cairosvg
- Affected Product: CairoSVG v2.0.0+
- Vendor: https://github.com/Kozea
- Severity: Medium
- Vulnerability Class: Denial of Service
- Author(s): Ben Caller (Doyensec)
Summary
When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).
If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.
Technical description
The vulnerable regular expressions are
https://github.com/Kozea/CairoSVG/blob/9c4a982b9a021280ad90e89707eacc1d114e4ac4/cairosvg/colors.py#L190-L191
The section between 'rgb(' and the final ')' contains multiple overlapping groups.
Since all three infinitely repeating groups accept spaces, a long string of spaces causes catastrophic backtracking when it is not followed by a closing parenthesis.
The complexity is cubic, so doubling the length of the malicious string of spaces makes processing take 8 times as long.
Reproduction steps
Create a malicious SVG of the form:
<svg width="1" height="1"><rect fill="rgb( ;"/></svg>
with the following code:
'<svg width="1" height="1"><rect fill="rgb(' + (' ' * 3456) + ';"/></svg>'
Note that there is no closing parenthesis before the semi-colon.
Run cairosvg e.g.:
cairosvg cairo-redos.svg -o x.png
and notice that it hangs at 100% CPU. Increasing the number of spaces increases the processing time with cubic complexity.
Remediation
Fix the regexes to avoid overlapping parts. Perhaps remove the [ \n\r\t]* groups from the regex, and use .strip() on the returned capture group.
Disclosure timeline
- 2020-12-30: Vulnerability disclosed via email to CourtBouillon
References
Doyensec Vulnerability Advisory
Summary
When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).
If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.
Technical description
The vulnerable regular expressions are
https://github.com/Kozea/CairoSVG/blob/9c4a982b9a021280ad90e89707eacc1d114e4ac4/cairosvg/colors.py#L190-L191
The section between 'rgb(' and the final ')' contains multiple overlapping groups.
Since all three infinitely repeating groups accept spaces, a long string of spaces causes catastrophic backtracking when it is not followed by a closing parenthesis.
The complexity is cubic, so doubling the length of the malicious string of spaces makes processing take 8 times as long.
Reproduction steps
Create a malicious SVG of the form:
with the following code:
Note that there is no closing parenthesis before the semi-colon.
Run cairosvg e.g.:
and notice that it hangs at 100% CPU. Increasing the number of spaces increases the processing time with cubic complexity.
Remediation
Fix the regexes to avoid overlapping parts. Perhaps remove the [ \n\r\t]* groups from the regex, and use .strip() on the returned capture group.
Disclosure timeline
References