Coordinated Disclosure Timeline
- 2021-08-31: Created an issue to ask for contact details.
- 2021-08-31: Burak Arslan (burak.arslan@arskom.com.tr) got in touch to ask for more details. I have now emailed the report to Burak.
- 2021-10-14: Emailed my suggested fix to Burak Arslan.
- 2021-10-18: Reply from Burak Arslan, who says it’s ok to create a pull request.
- 2021-10-18: Created https://github.com/arskom/spyne/pull/675
- 2021-10-18: Fix is merged.
Summary
Spyne contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
Spyne
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
python3:
import re
email_re = re.compile(
r"[A-Za-z0-9!#-'\*\+\-/=\?\^_`\{-~]+"
r"(\.[A-Za-z0-9!#-'\*\+\-/=\?\^_`\{-~]+)*@"
# domain part is either a single symbol
r"(([a-zA-Z0-9]|"
# or have at least two symbols
# hyphen can't be at the beginning or end of domain part
# domain should contain at least 2 parts, the last one is TLD
r"([a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])+)\.)+"
# TLD should contain only letters, at least 2
r"[A-Za-z]{2,}", re.IGNORECASE)
print(email_re.match("~.~@a0" + "0000" * 25))
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-115 in any communication regarding this issue.