[Python]: Unicode DoS - Githubissues

github / securitylab

Resources related to GitHub Security Lab

https://securitylab.github.com

MIT License

1.35k stars 242 forks source link

[Python]: Unicode DoS #813

Closed Sim4n6 closed 3 months ago

Sim4n6 commented 5 months ago

Query PR

https://github.com/github/codeql/pull/15319

Language

Python

CVE(s) ID list

CVE-2023-46695

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

Report

The vulnerability happens when a user controlled data reaches a costly Unicode normalization with the forms that considers the compatibility during the Unicode normalization such as NFKC or NFKD. Such behavior allows a One Million Unicode characters attack to happen.
The attack scenario is simple. An attacker uses a One Milion Unicode characters and hits the server with the payload multiple times.
The source would be a remote untrusted data. The sink would be a Unicode normalization of compatibility-type (NFKC or NFKD). But, the source should not have gone through a size limitation.
I limited the false positives by limiting the Unicode normaliztion forms and by introducing a sanitizer that considers at least 04 ways to compare.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

[X] Yes
[ ] No

Blog post link

https://sim4n6.beehiiv.com

Sim4n6 commented 5 months ago

The following commit is the fix intended for CVE-2023-46695. You can notice that the Django team lets the developers decide on the use (or not) of the max_length value. This query would catch the fixed version as a hit if no max_length is set.

ghsecuritylab commented 4 months ago

Your submission is now in status Test run.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 3 months ago

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 3 months ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 3 months ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 3 months ago

Your submission is now in status Pay.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 3 months ago

Created Hackerone report 2429472 for bounty 561923 : [813] [Python]: Unicode DoS

ghsecuritylab commented 3 months ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed