ReDoS Vulnerability in svnurl.py Issue Status: Closed Reported by: SCH227 Report Date: September 22, 2022 Vulnerability Details: - Found that is vulnerable to Regular Expression Denial of Service (ReDoS). - Attack Vector: A user accessing a (possibly remote) Subversion repository that provides malicious "info" data, or an attacker injecting 'svn ls http://...' output. Suggested Fix: Use a pattern with non-overlapping groups. CVE Information: - CVE-2022-42969 is associated with this issue. - GHSA-w596-4wvx-j9j6 Discussion Highlights: - skepticism about the usage of this particular code and its security implications. - proposed fix to get rid of due to its deprecated status and minimal use, and archival plans. - concerns about generating false security reports for pytest users, potentially causing major issues for maintainers and users. - labeling the CVE as a supply chain attack and proposing dropping altogether. - actions taken include adding a note to the GitHub advisory and sending out a Public Service Announcement (PSA). Current Status: Issue closed as of July 18, 2024, with the recognition that tool reports showing this vulnerability indicate low quality and poor reporting.