mirror of
https://git.yoctoproject.org/git/poky
synced 2026-01-01 13:58:04 +00:00
b402c3ac78
CVE-2022-40896: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by 3 different commits between the releases 2.14.0 (for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ 1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version. Commit:dd52102c38Hence, backported the patch as CVE-2022-40896.patch. 2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version. Commit:97eb3d5ec7Actually, this code doesn't exist in 2.11.2 version and it has been introduce by python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version. SQL+Jinja lexers is introduced by:0bdbd5992b3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version. Commit:fdf182a7afActually, this code also doesn't exist in 2.11.2 version as the code has been modified in python3-pygments 2.14.0 by:a38cb38e93Hence, this is also not vulnerable for 2.11.2 version. (From OE-Core rev: ebb224e65a7e1402ccf0d9517bd72748c18e012e) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
125 lines
4.2 KiB
Diff
125 lines
4.2 KiB
Diff
From ed61747f328ff6aa343881b269600308ab8eac93 Mon Sep 17 00:00:00 2001
|
|
From: Narpat Mali <narpat.mali@windriver.com>
|
|
Date: Wed, 6 Sep 2023 10:32:38 +0000
|
|
Subject: [PATCH] Improve the Smithy metadata matcher.
|
|
|
|
Previously, metadata foo bar baz = 23 was accepted, but according to
|
|
the definition https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection
|
|
it should be "metadata"<whitespace>Identifier/String<optional whitespace>.
|
|
|
|
CVE: CVE-2022-40896
|
|
|
|
Upstream-Status: Backport [https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04]
|
|
|
|
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
|
|
---
|
|
pygments/lexers/smithy.py | 5 +-
|
|
tests/examplefiles/smithy/test.smithy | 12 +++++
|
|
tests/examplefiles/smithy/test.smithy.output | 52 ++++++++++++++++++++
|
|
3 files changed, 67 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py
|
|
index 0f0a912..c5e25cd 100644
|
|
--- a/pygments/lexers/smithy.py
|
|
+++ b/pygments/lexers/smithy.py
|
|
@@ -58,8 +58,9 @@ class SmithyLexer(RegexLexer):
|
|
(words(aggregate_shapes,
|
|
prefix=r'^', suffix=r'(\s+' + identifier + r')'),
|
|
bygroups(Keyword.Declaration, Name.Class)),
|
|
- (r'^(metadata)(\s+.+)(\s*)(=)',
|
|
- bygroups(Keyword.Declaration, Name.Class, Whitespace, Name.Decorator)),
|
|
+ (r'^(metadata)(\s+)((?:\S+)|(?:\"[^"]+\"))(\s*)(=)',
|
|
+ bygroups(Keyword.Declaration, Whitespace, Name.Class,
|
|
+ Whitespace, Name.Decorator)),
|
|
(r"(true|false|null)", Keyword.Constant),
|
|
(r"(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number),
|
|
(identifier + ":", Name.Label),
|
|
diff --git a/tests/examplefiles/smithy/test.smithy b/tests/examplefiles/smithy/test.smithy
|
|
index 3d20f06..9317fee 100644
|
|
--- a/tests/examplefiles/smithy/test.smithy
|
|
+++ b/tests/examplefiles/smithy/test.smithy
|
|
@@ -2,6 +2,18 @@ $version: "1.0"
|
|
|
|
namespace test
|
|
|
|
+metadata "foo" = ["bar", "baz"]
|
|
+metadata validators = [
|
|
+ {
|
|
+ name: "ValidatorName"
|
|
+ id: "ValidatorId"
|
|
+ message: "Some string"
|
|
+ configuration: {
|
|
+ selector: "operation"
|
|
+ }
|
|
+ }
|
|
+]
|
|
+
|
|
/// Define how an HTTP request is serialized given a specific protocol,
|
|
/// authentication scheme, and set of input parameters.
|
|
@trait(selector: "operation")
|
|
diff --git a/tests/examplefiles/smithy/test.smithy.output b/tests/examplefiles/smithy/test.smithy.output
|
|
index 1f22489..db44a38 100644
|
|
--- a/tests/examplefiles/smithy/test.smithy.output
|
|
+++ b/tests/examplefiles/smithy/test.smithy.output
|
|
@@ -7,6 +7,58 @@
|
|
' test' Name.Class
|
|
'\n\n' Text.Whitespace
|
|
|
|
+'metadata' Keyword.Declaration
|
|
+' ' Text.Whitespace
|
|
+'"foo"' Name.Class
|
|
+' ' Text.Whitespace
|
|
+'=' Name.Decorator
|
|
+' ' Text.Whitespace
|
|
+'[' Text
|
|
+'"bar"' Literal.String.Double
|
|
+',' Punctuation
|
|
+' ' Text.Whitespace
|
|
+'"baz"' Literal.String.Double
|
|
+']' Text
|
|
+'\n' Text.Whitespace
|
|
+
|
|
+'metadata' Keyword.Declaration
|
|
+' ' Text.Whitespace
|
|
+'validators' Name.Class
|
|
+' ' Text.Whitespace
|
|
+'=' Name.Decorator
|
|
+' ' Text.Whitespace
|
|
+'[' Text
|
|
+'\n ' Text.Whitespace
|
|
+'{' Text
|
|
+'\n ' Text.Whitespace
|
|
+'name:' Name.Label
|
|
+' ' Text.Whitespace
|
|
+'"ValidatorName"' Literal.String.Double
|
|
+'\n ' Text.Whitespace
|
|
+'id:' Name.Label
|
|
+' ' Text.Whitespace
|
|
+'"ValidatorId"' Literal.String.Double
|
|
+'\n ' Text.Whitespace
|
|
+'message:' Name.Label
|
|
+' ' Text.Whitespace
|
|
+'"Some string"' Literal.String.Double
|
|
+'\n ' Text.Whitespace
|
|
+'configuration:' Name.Label
|
|
+' ' Text.Whitespace
|
|
+'{' Text
|
|
+'\n ' Text.Whitespace
|
|
+'selector:' Name.Label
|
|
+' ' Text.Whitespace
|
|
+'"operation"' Literal.String.Double
|
|
+'\n ' Text.Whitespace
|
|
+'}' Text
|
|
+'\n ' Text.Whitespace
|
|
+'}' Text
|
|
+'\n' Text.Whitespace
|
|
+
|
|
+']' Text
|
|
+'\n\n' Text.Whitespace
|
|
+
|
|
'/// Define how an HTTP request is serialized given a specific protocol,' Comment.Multiline
|
|
'\n' Text.Whitespace
|
|
|
|
--
|
|
2.40.0
|