Skip to content

ReDoS in Jira prefix

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1934802 by yvvdwf on 2023-04-05, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Hi,

Gitlab recently add a new feature that allows specifying a regex to recognize Jira issues:

###  app/models/integrations/jira.rb#L351  
    def jira_issue_match_regex  
      match_regex = (jira_issue_regex.presence || Gitlab::Regex.jira_issue_key_regex)

      /\b#{jira_issue_prefix}(?<issue>#{match_regex})/  
    end

jira_issue_prefix and jira_issue_regex are user input which can cause ReDoS attack

Steps to reproduce

This feature is available on gitlab.com but not yet on user instance, so I tested this on gitlab.com and confirm it via Gitpod:

  1. In an existing project, or create a new project, enable Jira integration:
  • fill the required inputs as you want but the two following allows ReDoS:
  • Jira issue regex: ((a|b)+|c)+$
  • Jira issue prefix: JIRA

jira-setting.png

  1. Open a new issue:
  • title: test-jira
  • Write: JIRAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1
  • click Save changes button
  • we can see that the puma server uses 100% CPU, then restarts after 5 minutes.

issue.png

Error on gitlab.com:
500_Error_-_GitLab.png

Impact

This ReDoS issue causes deny of service at the back-end

What is the current bug behavior?

User input is not sanitized

What is the expected correct behavior?

User input should be sanitized before using in a regex

Output of checks

This bug happens on GitLab.com

Impact

This ReDoS issue causes deny of service at the back-end

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: