rwgk
commented
11 months ago We have 9 failures in environments where pytest 7.2.0 does not seem to be available (looks like Python 3.6 & a couple specific platforms).
Could you please add conditions so that we keep using 7.0.0 on those platforms?
But a general question:
tests/requirements.txt is probably used only in the GHA here and by a few developers for local testing. I'm thinking subversion will rarely ever be in the mix. Therefore it seems like the reduction in risk potential is near zero. Is that a fair assessment?
pablospe
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.
Description
Suggested changelog entry: