Add test capturing failed expectation. Ref #3659.

jaraco · jaraco · commit 579134321d4d · 2022-11-04T13:51:56.000-04:00
diff --git a/setup.cfg b/setup.cfg
@@ -71,6 +71,7 @@ testing =
 	pip_run>=8.8
 	ini2toml[lite]>=0.9
 	tomli-w>=1.0.0
+	pytest-timeout
 
 testing-integration =
 	pytest
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
@@ -1,4 +1,5 @@
-"""PyPI and direct package downloading"""
+"""PyPI and direct package downloading."""
+
 import sys
 import os
 import re
@@ -217,6 +218,9 @@ def wrapper(*args, **kwargs):
 
 
 REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+"""
+Regex for an HTML tag with 'rel="val"' attributes.
+"""
 
 
 @unique_values
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
@@ -305,3 +305,12 @@ def test_percent_in_password(self, temp_home):
         cred = cfg.creds_by_repository['https://pypi.org']
         assert cred.username == 'jaraco'
         assert cred.password == 'pity%'
+
+
+@pytest.mark.xfail(reason="#3659")
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+    """
+    REL should not hang on a contrived attack string.
+    """
+    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
