Catastrophic backtracking on SQL/SQL+Jinja Lexer #2355
Comments
|
I'm not sure what you mean by “security channel”, but if you rely on Pygments terminating in reasonable time, don't. Please read https://pygments.org/docs/security/ That said, this indeed look like a bug. |
|
By "Security Channel", I meant I reported this privately to Red Hat (which I was informed is the CNA for this project) and also to one of the maintainers (georg@python.org). I preferred to not include the PoC here in public. I have a new similar one to report. Should I open another issue here? |
For one thing, it's quite trivial to construct one from the issue description, and for another, Pygments does not make security guarantees, so this is not a security issue. If it can be used for RE DOS, that's a bug in the application that uses Pygments. If @birkenfeld (i.e. the person behind georg@python.org) replied, I'm sure he told you the same thing.
Yes, please. |
It is waay more trivial to copy and paste it.
I understand, my aim is not to bother with which should be the most accurate tag for these kind of bugs or to discuss who should tackle it first. You project is great, and I am very grateful you are maintaining it. Thank you! Let me know if I can be of help issuing a patch and/or testing |
|
Should be better with 97eb3d5. Please confirm. |
|
LGTM! |
Fixes vulnerability described here: pygments/pygments#2355
I've added pygments directly to requirements.in since we are actually using this library in our own code. The version upgrade fixes the vulnerability described here: pygments/pygments#2355
The following pattern is inefficient, it may lead to a Regular expression Denial of Service vulnerability:
r'\{%-?\s*macro \w+\(.*\)\s*-?%\}\s+.*\s+\{%-?\s*endmacro\s*-?%\}'https://github.com/pygments/pygments/blob/master/pygments/lexers/templates.py#L2295
This was originally reported privately on the security channel, but was asked to open an issue here
The text was updated successfully, but these errors were encountered: