ReDoS in `Cargo.toml` blob viewer
HackerOne report #2251278 by yvvdwf
on 2023-11-14, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Hello,
The following code is vulnerable to the regular expression denial of service attack (ReDoS) because it uses directly users' input in regex:
### https://gitlab.com/gitlab-org/gitlab/-/blob/b356ddbbd1929cdca10b3fcd83eacc198c79e58e/lib/gitlab/dependency_linker/cargo_toml_linker.rb#L33-47
def link_toml(key, value, type, &url_proc)
if value.is_a? String
link_regex(/^(?<name>#{key})\s*=\s*"#{value}"/, &url_proc)
elsif value.is_a? Hash
# Don't link when using a custom registry
return if value['registry']
# Don't link unless a crates.io version is provided
# See https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#multiple-locations
return unless value['version']
link_regex(/^(?<name>#{key})\s*=\s*\{/, &url_proc)
link_regex(/^\[#{type}\.(?<name>#{key})\]/, &url_proc)
end
end
Reproduction
- in an existing project, or create a new one.
- add
Cargo.toml
file with the following content:
[dependencies]
".*((a|b)+|c)+"="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
- after clicking on
Commit changes
to save the file, you are redirected to a blob viewer page to view the file. You should see that the file takes long time to render and ended by an error. This is caused by the reDoS which comsumes high usage of a single CPU core. - refresh the page as many times as you want to consume other CPU cores to cause DoS of your Gitlab instance.
Impacts
ReDoS causes denial of services at back-end.
Best regards,
yvvdwf
Impact
ReDoS causes denial of services at back-end.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: