Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bundled configobj subject to CVE-2023-26112 #106

Closed
braingram opened this issue Sep 5, 2023 · 3 comments · Fixed by #108
Closed

Bundled configobj subject to CVE-2023-26112 #106

braingram opened this issue Sep 5, 2023 · 3 comments · Fixed by #108

Comments

@braingram
Copy link
Collaborator

braingram commented Sep 5, 2023

configobj is subject to a ReDoS: GHSA-c33w-24p9-8m24

This regex used to parse the config/spec items suffers from catastrophic backtracking:

_func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)

This is one useful write-up on the issue: https://www.regular-expressions.info/catastrophic.html

The upstream/bundled project appears abandoned but does have an open PR that appears to fix the offending regex:
DiffSK/configobj#236

Given the level of control necessary to exploit the issue (it seems likely a Step.spec could be crafted to exploit it) it seems like a low risk as the step could also just include a while True. I haven't thought through what this means for command line options or if a ReDoS in python is limited to one cpu.

@WilliamJamieson
Copy link
Collaborator

WilliamJamieson commented Sep 6, 2023

Since configobj is at least marginally supported as a mature library by https://github.com/DiffSK/configobj, under the PyPi name: configobj. I don't see why there is any need for stpipe to bundle its own version of configobj to begin with.

Historically, it looks as though configobj was abandoned and not fully available on PyPi at the time it was pulled into stpipe's extern. Since then it was resurrected as a mature library and maintained for bugfix purposes.

@braingram
Copy link
Collaborator Author

Unfortunately the configobj project is not maintained as mentioned in the readme:
"""
This is a mature project that is not actively maintained at this time.
"""

@WilliamJamieson
Copy link
Collaborator

The larger issue is that we really ought to be using a configuration format like toml which is much more widely used and supported instead of effectively rolling our own special format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants