Skip to content

Commit d7b385f

Browse files
JelleZijlstraJelleZijlstra
committed
tests and changelog
1 parent 309693d commit d7b385f

File tree

2 files changed

+24
-1
lines changed

2 files changed

+24
-1
lines changed

CHANGES.md

+12-1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,14 @@
66

77
<!-- Include any especially major or disruptive changes here -->
88

9+
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
10+
run Black on untrusted input, or if you habitually put thousands of leading tab
11+
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
12+
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).
13+
14+
This release also fixes a bug in Black's AST safety check that allowed Black to make
15+
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
16+
917
### Stable style
1018

1119
<!-- Changes that affect Black's stable style -->
@@ -36,7 +44,10 @@
3644

3745
### Performance
3846

39-
<!-- Changes that improve Black's performance. -->
47+
- Fix catastrophic performance on docstrings that contain large numbers of leading tab
48+
characters. This fixes
49+
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).
50+
(#4278)
4051

4152
### Output
4253

tests/test_black.py

+12
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@
4848
from black.output import color_diff, diff
4949
from black.parsing import ASTSafetyError
5050
from black.report import Report
51+
from black.strings import lines_with_leading_tabs_expanded
5152

5253
# Import other test classes
5354
from tests.util import (
@@ -2041,6 +2042,17 @@ def test_line_ranges_in_pyproject_toml(self) -> None:
20412042
b"Cannot use line-ranges in the pyproject.toml file." in result.stderr_bytes
20422043
)
20432044

2045+
def test_lines_with_leading_tabs_expanded(self) -> None:
2046+
# See CVE-2024-21503. Mostly test that this completes in a reasonable
2047+
# time.
2048+
payload = "\t" * 10_000
2049+
assert lines_with_leading_tabs_expanded(payload) == [payload]
2050+
2051+
tab = " " * 8
2052+
assert lines_with_leading_tabs_expanded("\tx") == [f"{tab}x"]
2053+
assert lines_with_leading_tabs_expanded("\t\tx") == [f"{tab}{tab}x"]
2054+
assert lines_with_leading_tabs_expanded("\tx\n y") == [f"{tab}x", " y"]
2055+
20442056

20452057
class TestCaching:
20462058
def test_get_cache_dir(

0 commit comments

Comments
 (0)