Skip to content

A Series of Simple DOS Vulnerabilities #134873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kexinoh opened this issue May 29, 2025 · 16 comments
Open

A Series of Simple DOS Vulnerabilities #134873

kexinoh opened this issue May 29, 2025 · 16 comments
Assignees
Labels
3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes stdlib Python modules in the Lib dir topic-email topic-IDLE topic-pathlib type-security A security issue

Comments

@kexinoh
Copy link

kexinoh commented May 29, 2025

Bug report

Bug description:

We have identified a series of simple quadratic complexity vulnerabilities. After confirmation by CPython's security team, since these DOS vulnerabilities pose a low threat and are relatively tedious to exploit, we can directly initiate requests in issues to seek assistance from the community for fixes.
Below are the specific locations of the different complexity issues we discovered.

1.

def expandvars(path):

2.
def _parseparam(s):

3.
while methodname[:1] == '<':

4.
def get_phrase(value):

5.
while value and (value[0]=='\\' or value[0] not in PHRASE_ENDS):

6.
value = value[1:]

7.
value = value[1:]

8.
value = value[1:]

9.
value = value[1:]

10.
value = value[1:]

11.
value = value[1:]

12.
value = value[1:]

13.
value = value[1:]

14.
value = value[1:]

15.
value = value[1:]

16.
to_encode = to_encode[1:]

17.
def expandvars(str, vars):

18.
def expandvars(path):

19.
while True:

20.
while line and line[-1] in " \t":

21.
while platform and platform[-1] == '-':

Current repair status:

03/19 has been fixed. @johnzhou721
1 has been fixed. @Wulian233
2/4/5/6/7/8/9/10/11/12/13/14/15/16 has been fixed. @picnixz
1/18 has been fixed. @serhiy-storchaka

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Credits

Finder is kexinoh (Xiangfan Wu) from QI-ANXIN Technology Research Institute.

Linked PRs

@kexinoh kexinoh added the type-bug An unexpected behavior, bug, or error label May 29, 2025
@ZeroIntensity ZeroIntensity added type-security A security issue 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes topic-email 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes and removed type-bug An unexpected behavior, bug, or error labels May 29, 2025
@johnzhou721

This comment has been minimized.

@johnzhou721

This comment has been minimized.

@johnzhou721

This comment has been minimized.

@kexinoh
Copy link
Author

kexinoh commented May 29, 2025

Okay, I will maintain a note in the issue regarding the completed repair part. I hope others can complete the remaining sections.

@ZeroIntensity
Copy link
Member

cc @sethmlarson I'm assuming you're aware of this

After confirmation by CPython's security team

@sethmlarson
Copy link
Contributor

@ZeroIntensity Indeed, some of these have been reported to PSRT and I recommended a public issue.

@Wulian233
Copy link
Contributor

I fixed posixpath in #134927

@kexinoh
Copy link
Author

kexinoh commented May 30, 2025

I fixed posixpath in #134927

Among them, both 17 and 18 belong to path replacement issues. I think you can fix them together, which will accelerate the repair speed. It should be additionally noted that other problems such as the infinite loop vulnerability caused by 17 need to be handled.

@johnzhou721

This comment has been minimized.

@picnixz

This comment has been minimized.

@picnixz picnixz added stdlib Python modules in the Lib dir topic-IDLE labels May 30, 2025
@johnzhou721

This comment has been minimized.

@picnixz

This comment has been minimized.

@serhiy-storchaka serhiy-storchaka self-assigned this May 30, 2025
@serhiy-storchaka
Copy link
Member

As for expandvars(), there is a more efficient way. Also, I suspect there is other quadratic complexity vulnerability here. I am working on this.

@kexinoh
Copy link
Author

kexinoh commented May 30, 2025

As for , there is a more efficient way. Also, I suspect there is other quadratic complexity vulnerability here. I am working on this.expandvars()

Yes, there are still some vulnerabilities.
update: I have added two more.

@Wulian233
Copy link
Contributor

Wulian233 commented May 31, 2025

I may have found a new one:

paths.extend(arg._raw_paths)

import pathlib
import time

def create_deep_path(n):
    p = pathlib.PurePath("a")
    for _ in range(n):
        p = pathlib.PurePath(p, p) # Each iteration doubles the number of path segments
    return p
start = time.time()
# 2^20 ≈ 1,000,000
deep_path = create_deep_path(20)
str(deep_path)  # Path resolution is triggered, which consumes a large amount of resources
end = time.time()
print(f"Time taken: {end - start:.2f} seconds")

Possible fix, replace with paths.append(str(arg))

Now: Time taken: 0.51 seconds
Fix: Time taken: 0.24 seconds

@barneygale Can you be confirm this?

Edit: 3.14 3.15 only #130748

@picnixz
Copy link
Member

picnixz commented May 31, 2025

_raw_paths contains unjoined parts, so we still them in full:

# The `_raw_paths` slot stores unjoined string paths. This is set in
# the `__init__()` method.
'_raw_paths',

Note that str(...) actually joins the string paths, so the behavior is not the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes stdlib Python modules in the Lib dir topic-email topic-IDLE topic-pathlib type-security A security issue
Projects
None yet
Development

No branches or pull requests

7 participants
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy