GMS-2020-698: regular expression denial-of-service in Bleach

March 30, 2020 (updated August 23, 2021)

Impact

bleach.clean behavior parsing style attributes could result in a regular expression denial of service .

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, ``bleach.clean(…, attributes={‘a’: ‘style’ Workarounds

do not allowlist the style attribute in bleach.clean calls
limit input string length

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
https://www.regular-expressions.info/redos.html
https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817

Credits

Reported by schwag09 of r2c

For more information

If you have any questions or comments about this advisory:

Open an issue at https://github.com/mozilla/bleach/issues
Email us at security@mozilla.org

References

bugzilla.mozilla.org/show_bug.cgi?id=1623633
github.com/advisories/GHSA-vqhp-cxgc-6wmm
github.com/mozilla/bleach/releases/tag/v3.1.4
github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm
nvd.nist.gov/vuln/detail/CVE-2020-6817
snyk.io/vuln/SNYK-PYTHON-BLEACH-561754

Detect and mitigate GMS-2020-698 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →