nottrobin
commented
2 years ago Yeah this is a bit of a pain to change. The BlockLexer that we've extended isn't in the new version and I don't know what the equivalent is - a quick search didn't turn up anything useful.
The RegEx "catastrophic backtracking" described in CVE-2022-34749, while definitely an undesirable trait, is only an actual security issue if we use mistune to parse user input - in that a user could maliciously use this as the basis for a DoS attack. This isn't the case in templatefinder, where the input is templates committed to the project codebase, or ubuntu.com, where the input is from notices stored in the security API (although this one, unlike the templates, could more easily lead to a surprising live failure I suppose). How is it used in Vanilla?
Basically, I think this should be fixed, but at the moment I don't think it's particularly high priority. I'm going to mark it as low unless Vanilla's use of it constitutes a particular security risk.
bartaz
tbille
There is a security issue with
mistunedependency, but this requires a major update and seems to have a significant API change that would require rewriting some of the Markdown handling.See dependabot PR: https://github.com/canonical/canonicalwebteam.templatefinder/pull/25
Also affects Vanilla, as we use mistune directly, but we can't update to mistune v2 because templatefinder requires 0.8.4 (https://github.com/canonical/vanilla-framework/pull/4521)