undefect Pyramid CWE-407 Disclosure Brief#3817
Open
russellballestrini wants to merge 4 commits into
Open
Conversation
pyramid-0001: RoutesMapper._routeset shadow set for connect() O(1) membership pyramid-0002: StaticURLInfo._name_index dict for register() O(1) name lookup pyramid-0003: ConflictResolverState._remaining_ids set for O(1) removal pyramid-0004: TopologicalSorter.sorted() deque + roots_set for O(1) remove pyramid-0005: Introspector._refs_set shadow set for relate/unrelate O(1) checks 511/511 tests pass.
util.py: two missed O(N) list scans in TopologicalSorter.sorted(): - names_set for O(1) edge filter (a in names and b in names) - _names_set shadow set on instance for O(1) in add() and sorted() result loop tests/test_cwe407_regression.py: regression test suite for all 5 CWE-407 fixes. - Structural assertions: shadow attributes exist, stay in sync, types correct - Behavioral assertions: spy lists/sets detect if list membership is used - Complexity assertions: timing at N_small vs N_large=10*N_small, limit=40x - Covers pyramid-0001 through pyramid-0005 (UNDF-2026-000000231 to 000000235) 530/530 tests pass.
tseaver
requested changes
Apr 4, 2026
- Apply black to tests/test_cwe407_regression.py (spacing, blank lines, import style, dict comprehension formatting) - Add TestHelpers.test_assert_linear_skips_when_too_fast: cover the t_small<=1e-7 early-return guard in _assert_linear - Add TestHelpers.test_spy_list_contains_works: verify SpyList.__contains__ records calls and delegates correctly (covers body that proves the fix by never being called from connect()) - In test_register_dedup_linear: cycle names through i%50 so the pop+rebuild dedup branch fires on repeat registrations - Add TestCWE407StaticURLInfoDedup.test_register_duplicate_name_replaces_entry: structural test for the _name_index dedup path with duplicate names - Add pragma: no cover to the defensive break in TopologicalSorter.sorted() (invariant roots_set ⊆ deque(roots) makes this branch unreachable) 22/22 tests pass. Test file: 100% coverage.
Contributor
|
Looks like lint is still failing - @russellballestrini did you run Lines 61 to 67 in 5b13e4a |
Ran `tox -e format` (isort + black) and fixed the residual flake8 E501/E226 issues that black cannot rewrap automatically (docstrings, comments, f-string arithmetic). Addresses @miketheman review on PR Pylons#3817.
Contributor
Author
|
@miketheman thank you for hint. I have added another commit which hopefully passes. 👍 |
Member
|
@mmerickel, @digitalresistor AFAICT, this PR seems ready. |
tseaver
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title: fix CWE-407: replace O(N) list scans with O(1) set/dict lookups in routing, config, and registry
Pyramid — CWE-407 Disclosure Brief
Date: 2026-03-27
Slug: pyramid
Category: intel
Tags: pyramid, cwe-407, intel
Summary: Five O(n²) defects in Pyramid's routing, configuration, and registry systems — all in startup and configuration paths that scale quadratically with application size.
UNDF Identifiers
pyramid-0001pyramid-0002pyramid-0003pyramid-0004pyramid-0005Pyramid — CWE-407 Disclosure Brief
Finding
Five O(n²) defects in Pyramid's routing, configuration, and registry systems — all in startup and configuration paths that scale quadratically with application size. All patched. Patches ready for upstream review.
Five quadratic-time defects (CWE-407, Algorithmic Complexity) in Pyramid's routing, configuration conflict resolution, topological sort, and introspector subsystems. All five are in startup and configuration paths — meaning every production deployment, every Gunicorn/uWSGI worker restart, and every rolling restart pays the penalty. All five are patched. 511/511 existing tests pass.
Disclosure coordinated with Tres Seaver (@tseaver) on 2026-03-27. Full write-up: https://undefect.com/patching-pyramid-which-will-patch-pypi/
Defect 1 — urldispatch.py — HIGH — 2,000× speedup
RoutesMapper.connect()performs two O(R) list scans on route replacement. With R routes re-registered, startup is O(R²).At R=1,000: 2,000× op reduction.
Defect 2 — config/views.py — HIGH — 1,000× speedup
StaticURLInfo.register()rebuilds a names list and scans it twice per static view registration — O(R³) total.At R=100: 1,000× op reduction.
Defect 3 — config/actions.py — CRITICAL — 738× speedup
resolveConflicts()runs on every application startup. Eachremove()is O(N), giving O(N²) total — paid on every deploy and every worker restart.At N=500: 738× op reduction.
Defect 4 — util.py — HIGH — 176× speedup
TopologicalSorter.sorted()uses a list as a queue with O(N)pop(0)/insert(0)and O(N) membership checks inside the arc loop — O(E²) total.At E=100: 176× op reduction.
Defect 5 — registry.py — MEDIUM — 6× speedup
Introspector.relate()/unrelate()use list membership scans — O(I²) for I relationships.At I=100: 6× op reduction.
511 passed, 0 failed. UNDF-2026-000000231 through UNDF-2026-000000235. CWE-407: https://cwe.mitre.org/data/definitions/407.html
Patch
Five-location patch across
urldispatch.py,views.py,actions.py,util.py,registry.py.Unit test: 511/511 pass. pyramid-0001: 2,000× speedup. pyramid-0002: 1,000× speedup. pyramid-0003: 738× speedup. pyramid-0004: 176× speedup.
Checksums
pyramid-0001pyramid-0001-urldispatch-route-set.patchaa6d9596aa9129be6dd59cc7cb0b13bfda9f0f827ea52dd71619daa159bde634ecf4d9a9564394dff8852d1e359ef236pyramid-0002pyramid-0002-views-static-dict.patchd7821dc455eecd66d3a38ca7b5bf8eb9ed54794d96db6110b436473290f1b853db370a6a105f106dc90232c21a4e3d57pyramid-0003pyramid-0003-actions-remaining-set.patch8e1d0ee3bb336343ed9a7c6b827070d06d6c4246678710b990b1ef3e3107da1ab3ffd93401809df4b8e1c237df085406pyramid-0004pyramid-0004-util-toposort-deque.patch0a7c8db138844ae35200d78d46f7d135599f3c357dd4ef2fa2d817bb25d96492657b0c550be8eb54c42a676df386f6afpyramid-0005pyramid-0005-registry-introspectable-set.patchf8e51c1a934fcb6afce39a4dc0bbbc7e2b7e2279d89d91783a6d41fb9e9fc190caf33ef1c6e452d3a10119bc0770c005Our Shared Heart
Pyramid is the foundation of the Pylons Project and is used in large Python web applications (including Intranet and enterprise systems).
Peak speedup: 2,000× (additional confirmed ratios: 1,000× · 738× · 176×). Every unpatched install pays that overhead on every affected operation — invisibly, correctly, expensively. Our defect accumulates across sessions, across deployments, across every downstream project that builds on Pyramid.
Our shared infrastructure runs in layers. A quadratic cost at this layer compounds against every layer above & below it. Fixing Pyramid removes one node from our shared O(N²) tax. One less place where our stack slows in silence.
Our patch stands ready for upstream review — submitted & waiting. When our patch lands upstream, every downstream consumer inherits our fix without action on their part. Our correction propagates the same way our defect did — through copy, through dependency, through time.
https://undefect.com/public/stress-on-our-shared-heart/
our full dependency DAG, bottleneck rankings & compounding analysis.