Project

General

Profile

Actions

Todo #12265

closed

Improve uses of ``grep`` which utilize user-supplied patterns

Added by Jim Pingle over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Operating System
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

See #12257 and 57a737f1 for examples

A few things to watch out for:

  • Patterns passed to grep based on user-controlled input that should be sanitized.
  • Dangerous patterns such as back references (e.g. \1) or group repetition (a)* which are unlikely to be used legitimately and are known sources of problems in grep, leading to a potential DoS due to CPU exhaustion.
  • Patterns passed to grep which could start with a - and be misinterpreted as grep command line parameters, leading to problems like other files being read that shouldn't be. Can be worked around by placing the pattern after -- e.g. grep -- <pattern>.

Examples of mitigation are in 57a737f1

Actions #2

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle over 2 years ago

  • Subject changed from Check usage of grep for potential dangers to Improve uses of ``grep`` which utilize user-supplied patterns

Updating subject for release notes.

Actions #4

Updated by Jim Pingle over 2 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions #5

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

These have been working better since the changes went in, no sign of side effects thus far either.

Actions #6

Updated by Jim Pingle about 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF