Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #349148
Closed
Open
Issue created Dec 22, 2021 by GitLab SecurityBot@gitlab-securitybotReporter

An RDoc file containing a specially crafted regex can crash puma

HackerOne report #1415071 by vakzz on 2021-12-02, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

There is a stack-buffer-overflow in ruby still affecting ruby 2.7.x that can cause a segmentation fault and crash when compiling certain regexes.

Normally there would be no way for a user to specify their own regex to be compiled, but when rendering rdoc files there is a check to see if a block of text is valid ruby:

https://github.com/ruby/rdoc/blob/master/lib/rdoc/markup/to_html.rb#L427

  ##  
  # Returns true if text is valid ruby syntax

  def parseable? text  
    verbose, $VERBOSE = $VERBOSE, nil  
    eval("BEGIN {return true}\n#{text}")  
  rescue SyntaxError  
    false  
  ensure  
    $VERBOSE = verbose  
  end  

This will never execute any code except for returning true due to how BEGIN works (I'm pretty sure anyway) but will run it through the ruby parser to generate an ast. Since regexes are compiled during this stage, it's possible to trigger the stack overflow using the following readme.rdoc:

code:  
  /(())(?<X>)((?(2147483647)))/  

I might me possible to exploit the buffer overflow instead of just causing a crash, but if it is possible it would be quite difficult due to not having a leak for aslr and single shot.

Steps to reproduce
  1. Create a new project
  2. Create a new file aaa.rdocwith the following contents:
code:  
  /(())(?<X>)((?(2147483647)))/  
  1. Commit and try to view the file
  2. There will be an error loading the viewer, the request for the rich version will return 502 as puma has crashed
Impact

A malicious rdoc can cause puma to crash when it's rendered. A user could constantly request the url, constantly crashing all of the puma processes and denying access to the gitlab instance. For example running the following ffuf with a rate of just 1 request per second is enough to bring down my vm and prevent any legitimate requests:

ffuf -u 'http://localhost:8888/root/crash/-/blob/main/aaa.rdoc?format=json&viewer=rich&FUZZ' -w /usr/share/dict/words -rate 1 -t 5  
Examples

POC repo - https://gitlab.com/vakzz-h1/rdoc-crash/
Crashing example: https://gitlab.com/vakzz-h1/rdoc-crash/-/blob/main/aaa.rdoc?format=json&viewer=rich

What is the current bug behavior?

Ruby crashes when trying to parse a specific regex

What is the expected correct behavior?

Ruby shouldn't crash when parsing regexes, and rdoc probably shouldn't eval code even with the BEGIN guard

Relevant logs and/or screenshots

regex-crash.log

Output of checks

This bug happens on GitLab.com

Impact

A malicious rdoc can cause puma to crash when it's rendered. A user could constantly request the url, constantly crashing all of the puma processes and denying access to the gitlab instance. For example running the following ffuf with a rate of just 1 request per second is enough to bring down my vm and prevent any legitimate requests:

ffuf -u 'http://localhost:8888/root/crash/-/blob/main/aaa.rdoc?format=json&viewer=rich&FUZZ' -w /usr/share/dict/words -rate 1 -t 5  

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • regex-crash.log

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking