fix: mitigate ReDoS in to_duration via max input length check (closes #494) (#523)

2025-08-25 15:01:14 +00:00 · 2025-04-22 00:16:33 +02:00
parent 63962343d9
commit 3c12e99970
2 changed files with 39 additions and 0 deletions
--- a/src/akkudoktoreos/utils/datetimeutil.py
+++ b/src/akkudoktoreos/utils/datetimeutil.py
@@ -34,6 +34,7 @@ from timezonefinder import TimezoneFinder
 from akkudoktoreos.core.logging import get_logger

 logger = get_logger(__name__)
+MAX_DURATION_STRING_LENGTH = 350


@overload
@@ -287,6 +288,11 @@ def to_duration(
            "second": 1,
        }

+        # Mitigate ReDoS vulnerability (#494) by checking input string length.
+        if len(input_value) > MAX_DURATION_STRING_LENGTH:
+            raise ValueError(
+                f"Input string exceeds maximum allowed length ({MAX_DURATION_STRING_LENGTH})."
+            )
        # Regular expression to match time components like '2 days', '5 hours', etc.
        matches = re.findall(r"(\d+)\s*(days?|hours?|minutes?|seconds?)", input_value)