Vulnerable Regular Expression in inventory

[yetingli]

Type of Issue
Potential Regex Denial of Service (ReDoS)

Description
The vulnerable regular expression is located in

sphinx/sphinx/util/inventory.py

Line 125 in 31f26a0

m = re.match(r'(?x)(.+?)\s+(\S*:\S*)\s+(-?\d+)\s+?(\S*)\s+(.*)',

The ReDOS vulnerability of the regex is mainly due to the sub-patterns (\S*:\S*) and can be exploited with the following string
" " + ":" * 5000

I think you can limit the input length or modify this regex.

[tk0miya]

Thank you for reporting.
I posted #8225 to fix this. Please check it if you have time.

[yetingli]

Hi @tk0miya ,
Thank you for your reply. But sorry I did not find your fix. Maybe I would suggest you can use ([^\s:]*:[^\s:]*) OR ([^\s:]*:\S*) instead of the sub-pattern (\S*:\S*)

[tk0miya]

Oops... I pushed the correct fix to the GitHub. Could you check it again, please?

[yetingli]

The pattern modification looks good to me.

[tk0miya]

Thank you for your confirmation!