Coordinated Disclosure Timeline
- 2021-08-31: Created an issue asking for contact details.
- 2021-09-01: Draft advisory created: GHSA-r8wq-qrxc-hmcm.
- 2021-10-15: Created a pull request in the temporary private fork with my suggested fix.
- 2021-11-26: GHSA-r8wq-qrxc-hmcm published.
Summary
python-ldap contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
python-ldap
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
python3:
import re
TOKENS_FINDALL = re.compile(
r"(\()" # opening parenthesis
r"|" # or
r"(\))" # closing parenthesis
r"|" # or
r"([^'$()\s]+)" # string of length >= 1 without '$() or whitespace
r"|" # or
r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))"
# any string or empty string surrounded by unescaped
# single quotes except if right quote is succeeded by
# alphanumeric char
r"|" # or
r"([^\s]+?)", # residue, all non-whitespace strings
).findall
# triggers ReDoS
l = TOKENS_FINDALL("'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-117 in any communication regarding this issue.