ReDoS in Jira prefix

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1934802 by yvvdwf on 2023-04-05, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Hi,

Gitlab recently add a new feature that allows specifying a regex to recognize Jira issues:

###  app/models/integrations/jira.rb#L351  
    def jira_issue_match_regex  
      match_regex = (jira_issue_regex.presence || Gitlab::Regex.jira_issue_key_regex)

      /\b#{jira_issue_prefix}(?<issue>#{match_regex})/  
    end  

jira_issue_prefix and jira_issue_regex are user input which can cause ReDoS attack

Steps to reproduce

This feature is available on gitlab.com but not yet on user instance, so I tested this on gitlab.com and confirm it via Gitpod:

1. In an existing project, or create a new project, enable Jira integration:

• fill the required inputs as you want but the two following allows ReDoS:
• Jira issue regex: ((a|b)+|c)+$
• Jira issue prefix: JIRA

2. Open a new issue:

• title: test-jira
• Write: JIRAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1
• click Save changes button
• we can see that the puma server uses 100% CPU, then restarts after 5 minutes.

Error on gitlab.com:

Impact

This ReDoS issue causes deny of service at the back-end

What is the current bug behavior?

User input is not sanitized

What is the expected correct behavior?

User input should be sanitized before using in a regex

Output of checks

This bug happens on GitLab.com

Impact

This ReDoS issue causes deny of service at the back-end

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• issue.png
• jira-setting.png
• 500_Error_-_GitLab.png

How To Reproduce

Please add reproducibility information to this section: