fix(security): resolve exponential ReDoS in globmatch via dynamic programming (fixes #241)#250
Open
iapoorv01 wants to merge 2 commits into
Open
fix(security): resolve exponential ReDoS in globmatch via dynamic programming (fixes #241)#250iapoorv01 wants to merge 2 commits into
iapoorv01 wants to merge 2 commits into
Conversation
42b1a08 to
6d9e806
Compare
zxqfd555
reviewed
Jun 30, 2026
zxqfd555
left a comment
Collaborator
There was a problem hiding this comment.
Please add a test that runs for a long while without the fix, but runs fast with the fix. It will pin the desired behavior on potentially harmful input. Also, by running it on the current trunk and the branch with the fix, it will be easy to verify the change in speed.
7e83bcd to
7869c52
Compare
6 tasks
Contributor
Author
Thanks for the thorough review, @zxqfd555 ! I've just pushed an update that addresses all of your feedback:
Let me know if anything else catches your eye! |
zxqfd555
reviewed
Jun 30, 2026
Co-authored-by: Sergey Kulik <104143901+zxqfd555@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
The Pathway document-store REST endpoints (
/v1/inputs,/v1/retrieve,/v2/answer) expose thefilepath_globpatternparameter to unauthenticated requests. Currently, this pattern is compiled into a customglobmatchJMESPath expression and evaluated using_globmatch_impl.Because$O(2^k)$ exponential recursive calls, effectively pinning a worker CPU core indefinitely and causing a Denial of Service.
_globmatch_implrecursed on two branches for every**wildcard without state caching, it suffered from a classic Algorithmic Complexity vulnerability (CWE-400 / ReDoS). A maliciously crafted unauthenticated payload (e.g.,**/a/**/a/**/a/**/a/**/b) forcedEvaluation of Remediation Approaches
When addressing this vulnerability, three primary mitigation strategies were evaluated:
**segments or string length)fnmatchsemantics perfectly into Regex edge-cases is error-prone and can sometimes introduce native ReDoS vulnerabilities in theremodule itself.What this PR does
This PR implements Approach 3 (Memoization).
I rewrote
_globmatch_implto pass amemodictionary down the recursive stack, explicitly caching the(pat_i, p_i)state grid.< 1ms.import jmespath.exceptionsat the top of the file to resolve a latent IDE unresolved-reference warning on line 252.How has this been tested?
**/a/**/a/**/a...). The un-memoized implementation hung indefinitely; the memoized implementation returned immediately.pytestsuite to ensure no existing JMESPath metadata filtering tests are broken by the memo dictionary inclusion.Related issue(s):
Types of changes