GHSL-2021-120: ReDoS (Regular Expression Denial of Service) in Apprise

Coordinated Disclosure Timeline

• 2021-08-31: Sent report to lead2gold@gmail.com (@caronc)
• 2021-08-31: Reply from lead2gold@gmail.com: “I’ll look into this as soon as I can.”
• 2021-09-06: Issue is fixed.

Summary

Apprise contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

Apprise

Tested Version

v0.9.4

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.

Vulnerability

The vulnerable regular expression is here.

To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:

• Run the code below with python3:

import re

m = re.match(
            r'^https?://maker\.ifttt\.com/use/'
            r'(?P<webhook_id>[A-Z0-9_-]+)'
            r'/?(?P<events>([A-Z0-9_-]+/?)+)?'
            r'/?(?P<params>\?.+)?$', "http://maker.ifttt.com/use/------------------------------------------------------------|", re.I)

Impact

This issue may lead to a denial of service.

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-120 in any communication regarding this issue.