[BUG] Inefficient Regex

[SCH227]

setuptools version

setuptools==65.5.0

Python version

Python 3.10

OS

Kali Linux

Additional environment information

The reported bug should be independent from env

Description

This regex pattern is inefficient.
As described through PSRT channel, it may end in a DoS if an user is fetching malicious HTML from a package in PyPI or custom PackageIndex page.

Expected behavior

Regex matches/not without hanging.
The following regex seems to be performing ok:
<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>

How to Reproduce

Described through PSRT channel

Output

[ hangs forever ]

[domdfcoding]

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

[Doondondon]

Is this can’t be triggered when using setuptools itself to not interact with package index, or can notit be triggered when using pip?

[jaraco]

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

I could in theory be triggered using pip if:

• pip builds a package from source
• that package is built with setuptools
• that package has build-time dependencies (setup_requires) that aren't already satisfied in the environment or by pip (either because build-requires isn't declared or the invocation has bypassed the pep 518 behavior to install them).