Internet Bug Bounty: CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .

2024-07-0916:15:19

l33thaxor

hackerone.com

$2142

internet bug bounty

vulnerability

resource consumption

denial-of-service

strip_punctuation

urlize

urlizetrunc

email address

impact

time complexity

input validation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

Low

JSON

CVE-2024-38875 is a vulnerability where an attacker can cause uncontrolled resource consumption by passing an input with a lot of opening braces and closing braces to strip_punctuation. The function is used by the urlize and urlizetrunc filters.

Here is the vulnerable function:

# SNIP
    def trim_punctuation(self, word):
        """
        Trim trailing and wrapping punctuation from `word`. Return the items of
        the new state.
        """
        lead, middle, trail = "", word, ""
        # Continue trimming until middle remains unchanged.
        trimmed_something = True
        while trimmed_something: # &lt;--------- This loop has O(n^2) worst case time complexity
            trimmed_something = False
            # Trim wrapping punctuation.
            for opening, closing in self.wrapping_punctuation:
                if middle.startswith(opening):
                    middle = middle.removeprefix(opening)
                    lead += opening
                    trimmed_something = True
                # Keep parentheses at the end only if they're balanced.
                if (
                    middle.endswith(closing)
                    and middle.count(closing) == middle.count(opening) + 1
                ):
                    middle = middle.removesuffix(closing)
                    trail = closing + trail
                    trimmed_something = True
            # Trim trailing punctuation (after trimming wrapping punctuation,
            # as encoded entities contain ';'). Unescape entities to avoid
            # breaking them by removing ';'.
            middle_unescaped = html.unescape(middle)
            stripped = middle_unescaped.rstrip(self.trailing_punctuation_chars)
            if middle_unescaped != stripped:
                punctuation_count = len(middle_unescaped) - len(stripped)
                trail = middle[-punctuation_count:] + trail
                middle = middle[:-punctuation_count]
                trimmed_something = True
        return lead, middle, trail
# SNIP

I have attached the files which I initially sent when I reported this vulnerability which demonstrate this vulnerability.
My own personal email address is: [email protected]