Import from GitHub allows to execute ReDoS with protected branch
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1862810 by kakashi77
on 2023-02-05, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
While I am investingating mining on github import, I found a vulnerability on gitlab.com allowing to execute redos
When importing a github repository, gitlab import the branch protection rules, but there is a problem with the regular expression used
branch_name = branch_protection[:url].match(%r{/branches/(\S{1,255})/protection$})[1]
This regex takes polynomial time in worst case if input is like url + "branches/".repeat(10000000) + "protection"
Steps to reproduce
(1. any preconditions in the environment) First Set up a proxy server to change the results of protected rule in github.
- First, create a github repository and github access token to import into gitlab and enable proteced branch rule in github.
- You need to set up a proxy server and change the results of the github import. I attached the proxy sever scripts in attachment.
- run
ngork http 5000
so you have to set following values as enviroment variable.
PRIVATE_TOKEN="<your access token in gitlab>"
PERSONAL_ACCESS_TOKEN="<your access token in github>"
GITHUB_HOSTNAME="<ngrok url>"
GITLAB_HOSTNAME="<your selfhost url>"
GITHUB_OWNER="<github account name>"
GITHUB_PROJECT_ID= "<project Id for your respository in github>"
GITHUB_REPOSITORY="<repository name in github>"
-
Run
npm install
andnode app.js
-
Send import API to trigger redos
sh request.sh
- It will call import api for 3 times.
- You can see from the admin screen that the three github_importer:github_import_sage_import_protected_branches jobs are taking a long time to process and are stuck.
Impact
Since you can run it from the API, and by running a large number of APIs at the same time, I beleave you can eventually bring down the service
What is the current bug behavior?
This regex takes polynomial time in worst case
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.7p221
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.8
Sidekiq Version:6.5.7
Go Version: unknown
GitLab information
Version: 15.7.5-ee
Revision: 677cf66582b
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.8
URL: http://gitlab.yukiosaki.me
HTTP Clone URL: http://gitlab.yukiosaki.me/some-group/some-project.git
SSH Clone URL: git@gitlab.yukiosaki.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.14.0
Repository storages:
- default: unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
`
Impact
Since you can run it from the API, and by running a large number of APIs at the same time, I beleave you can eventually bring down the service
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- Screenshot_from_2023-02-05_23-56-17.png
- proxy-github-import.zip
- Screencast_from_2023_02_06__01_06_51_.webm
How To Reproduce
Please add reproducibility information to this section: