Regular expression denial of service issues in Rouge

In https://gitlab.com/gitlab-com/gl-security/appsec/appsec-reviews/-/issues/140#note_841884477 I found a few regular expression denial of service issues in Rouge. Similar to #338048 (closed) and #347277 (closed)

The strings required to trigger the issues are very long but still "only" a few hundred kilobytes and well within the range of what we accept as input.

BSL lexer

BSL lexer is vulnerable in https://github.com/rouge-ruby/rouge/blob/7f750f0e9f95c77f6bc95e7726acf85c8e35b1e3/lib/rouge/lexers/bsl.rb#L75

Reproduction: Generate payload with: ruby -e "print '9.' * 200000 + 'a'" and put that in a bsl code block for syntax highlighting in a note/issue/mr/epic

ECL lexer

ECL lexer is vulnerable in https://github.com/rouge-ruby/rouge/blob/7f750f0e9f95c77f6bc95e7726acf85c8e35b1e3/lib/rouge/lexers/ecl.rb#L14

Reproduction: Generate payload with: ruby -e "print 'a' + '1' * 100000 + '_'" and put that in a ecl code block for syntax highlighting in a note/issue/mr/epic

apiblueprint lexer

apiblueprint lexer is vulnerable in https://github.com/rouge-ruby/rouge/blob/7f750f0e9f95c77f6bc95e7726acf85c8e35b1e3/lib/rouge/lexers/apiblueprint.rb#L28

Reproduction: Generate payload with: ruby -e 'print "##" + "[" * 100000 + "\n]"' and put that in a apiblueprint code block for syntax highlighting in a note/issue/mr/epic

I'm opening a single issue but let me know if I should split that in three.

Notes

See "Quantifiers in Sequence" section of this page for details on fixing reDOS issues: https://www.regular-expressions.info/redos.html
Prior Rouge fix PR: https://github.com/rouge-ruby/rouge/pull/1773
See https://devina.io/redos-checker to automatically check

Edited Mar 03, 2022 by Chad Woolley