Open aydinnyunus opened 3 weeks ago
Hi @aydinnyunus - thanks for the report!
Since this is run locally on users' or clusters' machines, generally on a string handle that's programmatically generated, rather than on any sort of web service backend, I don't think exploiting this vulnerability can lead to a DoS.
At worst, it degrades the user experience of the bad actor, on their own CPUs.
The mention of "CSS sanitization" makes me think this might be being flagged by some sort of automation. If the vulnerability appears in any Python file that uses re
, perhaps the change is best directed towards the folks at https://github.com/python/cpython ?
Hi @Sanjay-Ganeshan,
I mentioned wrong on CSS Sanitization it is used on CmdLog
class. Also python re
package did not check the ReDOS vulnerability but it should be used safely when using regex.
I am not familiar with torchx
but I created the issue because I think the case that web service uses torchx binary on backend and use regex filter. Is this case possible if not maybe we can close the issue.
Report on ReDoS Vulnerability
Overview: A Regular Expression Denial of Service (ReDoS) vulnerability has been identified in the
validate
function of the codebase. This vulnerability could allow an attacker to craft a malicious input that causes excessive processing time when passed through the regular expression used for CSS validation, potentially leading to a denial of service (DoS) attack.Impact: The vulnerability allows an attacker to construct a specially crafted input string that triggers catastrophic backtracking in the regular expression. This could cause the function to consume an excessive amount of CPU time and degrade system performance, potentially leading to a denial of service.
Recommendation: To mitigate this vulnerability, it is recommended to switch to more efficient and safer methods for CSS sanitization, such as using established libraries like Bleach or the latest version of html5lib. These libraries are designed to handle input safely and efficiently, reducing the risk of ReDoS vulnerabilities.
Proof of Concept (PoC):