CustomEmoji name validation vulnerable to regular expression denial of service
Summary
The regular expression that validates custom emoji names (/\A([a-z0-9]+[-_]?)+[a-z0-9]+\z/
) is vulnerable to regular expression denial of service. This API was recently added in !37911 (merged) and is still behind a feature flag. #231317 (closed)
Steps to reproduce
This should do it
mutation {
createCustomEmoji(input: {
groupPath: "groupname"
url: "https://assets.gitlab-static.net/uploads/-/system/user/avatar/4992072/avatar.png"
name: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
}) {
clientMutationId
customEmoji {
id
}
errors
}
}
Also reproduced with this modification to the specs
diff --git a/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb b/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb
index c91437fa355..e3948fd6505 100644
--- a/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb
+++ b/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb
@@ -10,7 +10,7 @@
let(:attributes) do
{
- name: 'my_new_emoji',
+ name: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!',
url: 'https://example.com/image.png',
group_path: group.full_path
}
Example Project
What is the current bug behavior?
Malicious emoji name can lock up a CPU at 100%
What is the expected correct behavior?
Name validation shouldn't be a performance concern
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Edited by Dominic Couture