From 4d723136a437422225d5f9ed83538e9ca3cf5196 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matth=C3=A4us=20G=2E=20Chajdas?= <dev@anteru.net>
Date: Fri, 19 Aug 2022 20:53:02 +0200
Subject: Add security considerations.

---
 README.rst | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'README.rst')

diff --git a/README.rst b/README.rst
index e9633e05..eaebe957 100644
--- a/README.rst
+++ b/README.rst
@@ -48,6 +48,37 @@ Contribution guidelines are found in Contributing.md_.
 
 .. _Contributing.md: https://github.com/pygments/pygments/blob/master/Contributing.md
 
+Security considerations
+-----------------------
+
+Pygments provides no guarantees on the execution time, which needs to be taken
+into consideration when using Pygments to process arbitrary user inputs. For
+example, if you have a web service which uses Pygments for highlighting, there
+may be inputs which will cause the Pygments process to run "forever" and/or use
+significant amounts of memory. This can subsequently be used to perform a
+remote denial-of-service attack on the server if the processes are not
+terminated quickly.
+
+Unfortunately, it's practically impossible to harden Pygments itself against 
+those effects: Some regular expressions can result in "catastrophic 
+backtracking", but other bugs like incorrect matchers can also
+cause similar issues, and there is no way to find them in an automated fashion
+(short of solving the halting problem.) Pygments has extensive unit tests, automated randomized testing, and is also tested by `OSS-Fuzz <https://github.com/google/oss-fuzz/tree/master/projects/pygments>`_, but we will never be
+able to eliminate all bugs in this area.
+
+Our recommendations are:
+
+* Ensure that the Pygments process is _terminated_ after a reasonably short
+  timeout. In general Pygments should take seconds at most for reasonably-sized
+  input.
+* _Limit_ the number of concurrent Pygments processes to avoid oversubscription
+  of resources.
+
+The Pygments authors will treat any bug resulting in long processing times with
+high priority -- it's one of those things that will be fixed in a patch release.
+When reporting a bug where you suspect super-linear execution times, please make
+sure to attach an input to reproduce it.
+
 The authors
 -----------
 
-- 
cgit v1.2.1