Skip to content

fix(khal-events): add subprocess timeout to prevent DoS#2322

Open
cbxcvl wants to merge 1 commit intonoctalia-dev:mainfrom
cbxcvl:fix/khal-events-dos
Open

fix(khal-events): add subprocess timeout to prevent DoS#2322
cbxcvl wants to merge 1 commit intonoctalia-dev:mainfrom
cbxcvl:fix/khal-events-dos

Conversation

@cbxcvl
Copy link
Copy Markdown
Contributor

@cbxcvl cbxcvl commented Mar 27, 2026
edited
Loading

Summary

Fixes the DoS bug reported in #2321.

subprocess.run was called without a timeout, allowing any caller to pass an unbounded duration (e.g. 999999d) and hang the process indefinitely. Confirmed: process blocked for 98+ seconds before KeyboardInterrupt.

Changes

  • Added timeout=30 to subprocess.run
  • Added subprocess.TimeoutExpired handler — exits with code 1 and prints [] to stderr
  • Skips empty lines in khal output to prevent JSONDecodeError

Test

# triggers timeout after 30s, exits cleanly
time python3 khal-events.py "2023-01-01" "999999d"

# works normally
python3 khal-events.py "2023-01-01" "7d"

Closes #2321

Contributors: @cbxcvl @pa1va

@cbxcvl
fix(khal-events): add subprocess timeout to prevent DoS
c65183e 
subprocess.run was called without a timeout, allowing callers to pass
unbounded durations and hang the process indefinitely. Adds a 30s
timeout with graceful handling of TimeoutExpired, and skips empty
lines in khal output to prevent JSON parse errors.

Reported and patched with @pa1va. Closes noctalia-dev#2321
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DoS bug in khal-events.py: subprocess.run without timeout

1 participant

@cbxcvl