diff options
author | Matthäus G. Chajdas <dev@anteru.net> | 2022-08-19 20:53:02 +0200 |
---|---|---|
committer | Matthäus G. Chajdas <dev@anteru.net> | 2022-08-19 20:53:02 +0200 |
commit | 4d723136a437422225d5f9ed83538e9ca3cf5196 (patch) | |
tree | 0544fd1e39c371342b696a3de948a4ad87cb3f94 /README.rst | |
parent | bb780f42fff0c9c278b33c545b445ded1179561b (diff) | |
download | pygments-git-4d723136a437422225d5f9ed83538e9ca3cf5196.tar.gz |
Add security considerations.
Diffstat (limited to 'README.rst')
-rw-r--r-- | README.rst | 31 |
1 files changed, 31 insertions, 0 deletions
@@ -48,6 +48,37 @@ Contribution guidelines are found in Contributing.md_. .. _Contributing.md: https://github.com/pygments/pygments/blob/master/Contributing.md +Security considerations +----------------------- + +Pygments provides no guarantees on the execution time, which needs to be taken +into consideration when using Pygments to process arbitrary user inputs. For +example, if you have a web service which uses Pygments for highlighting, there +may be inputs which will cause the Pygments process to run "forever" and/or use +significant amounts of memory. This can subsequently be used to perform a +remote denial-of-service attack on the server if the processes are not +terminated quickly. + +Unfortunately, it's practically impossible to harden Pygments itself against +those effects: Some regular expressions can result in "catastrophic +backtracking", but other bugs like incorrect matchers can also +cause similar issues, and there is no way to find them in an automated fashion +(short of solving the halting problem.) Pygments has extensive unit tests, automated randomized testing, and is also tested by `OSS-Fuzz <https://github.com/google/oss-fuzz/tree/master/projects/pygments>`_, but we will never be +able to eliminate all bugs in this area. + +Our recommendations are: + +* Ensure that the Pygments process is _terminated_ after a reasonably short + timeout. In general Pygments should take seconds at most for reasonably-sized + input. +* _Limit_ the number of concurrent Pygments processes to avoid oversubscription + of resources. + +The Pygments authors will treat any bug resulting in long processing times with +high priority -- it's one of those things that will be fixed in a patch release. +When reporting a bug where you suspect super-linear execution times, please make +sure to attach an input to reproduce it. + The authors ----------- |