DiffSK/configobj

Vulnerable regex detected by Snyk. Please fix or avoid regex

wannfq opened this issue a year ago · 3 comments

wannfq commented a year ago

configobj/src/configobj/validate.py

Line 534 in e2ba445

_func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)

wannfq commented a year ago

Ref: https://learn.snyk.io/lesson/redos/?_gl=1*1w34pg6*_ga*NzgwNjYzODE3LjE2OTE2NDQ3MDc.*_ga_X9SH3KP7B4*MTY5MjE4NTc5OS4yMS4xLjE2OTIxODU4NjEuMC4wLjA.

IloBe commented a year ago

Additional info:

https://quay.io/repository/eclipse/che-sidecar-go/manifest/sha256:2243f389534abc38938f454e01b6653b88ff19048ec4c3ecc0a66e652cb017d0?tab=vulnerabilities
with pip-audit lib:
configobj 5.0.8 GHSA-c33w-24p9-8m24 Failed to fix configobj (5.0.8): failed to fix dependency configobj (5.0.8), unable to find fix version for vulnerability GHSA-c33w-24p9-8m24

thebaptiste commented a year ago

Maintainers seem to be in long holidays, ill, retired or dead...
See PR #236 opened by @cdcadman since May 17 on this subject.

😄2