[GHSA-2p9h-ccw7-33gf] cleo is vulnerable to Regular Expression Denial of Service (ReDoS)

[levpachmanov]

Updates

• Affected products

Comments
CVE-2022-42966 (GHSA-2p9h-ccw7-33gf, CWE-1333) is an exponential ReDoS in
cleo.ui.table.Table. When rendering a cell, Table runs a style-tag detection
regex with nested quantifiers over attacker-influenced cell content
(Table.set_rows):

# vulnerable (cleo/ui/table.py)
is_not_styled_by_tag = not re.match(
    r"^<(\w+|(\w+=[\w,]+;?)*)>.+</(\w+|(\w+=\w+;?)*)?>$", str(cell)
)

The (\w+=[\w,]+;?)* group backtracks exponentially. The fix
(b5b9a04, PR python-poetry/cleo#285) constrains the alternatives to the real
style keys:

# fixed
r"^<(\w+|((?:fg|bg|options)=[\w,]+;?)+)>.+<\/(\w+|((?:fg|bg|options)=[\w,]+;?)+)?>$"

Evidence

All commands were run against a full mirror of python-poetry/cleo
(/Volumes/src/ali-security/cleo-2705).

Introduction and fix commits

	commit	date	note
Introduced	de55578 "Refactor code"	2021-01-29	adds is_not_styled_by_tag regex to cleo/ui/table.py
Fixed	b5b9a04 "Change regex string to less permissive one"	2022-11-20	PR #285

Tag containment (git tag --contains)

• Vulnerable code present (--contains de55578):
  1.0.0a1 1.0.0a2 1.0.0a3 1.0.0a4 1.0.0a5 1.0.0 2.0.0 2.0.1 2.1.0 2.2.0 2.2.1
• Fix present (--contains b5b9a04):
  1.0.0 2.0.0 2.0.1 2.1.0 2.2.0 2.2.1
• Affected = (has code) − (has fix) = 1.0.0a1 … 1.0.0a5
• No 0.x / v0.x tag contains de55578.