CVE-2020-7212: Uncontrolled Resource Consumption
(updated )
The _encode_invalid_chars
function in util/url.py
in the urllib3 library for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings
array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings
may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings
were deduplicated, the time to compute _encode_invalid_chars
would be O(kN), where k is at most ((10+6*2)^2).
References
Detect and mitigate CVE-2020-7212 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →