Skip to content

ReDoS issue in the Codeowners reference extractor

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2269023 by joaxcar on 2023-12-01, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

There exists a ReDoS issue in the Codeowners reference extractor
https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/code_owners/reference_extractor.rb#L11

The Regex looks like this.

      EMAIL_REGEXP = /(?<email>([^@\s]+@[^@\s]+(?<!\W)))/

and will time out on long strings ending with an @ character

Screenshot_2023-12-01_at_14.25.22.png

Screenshot_2023-12-01_at_14.26.05.png

By sending a small number of requests to the validateCodeownerFile graphQL query, the instance will start running all CPUs on 100% and cause delays on user requests to the server.

Steps to reproduce

Test this on a self-hosted instance! use a Premium instance

  1. Log in to https://gitlab.example.com
  2. Create a new new project
  3. In the project create a file named CODEOWNERS
  4. Add this content in the file
README.md <ZEROS>@

Replace <ZEROS>with A LOT of zeros. Dont know what is the lower threshold but add like 100 000 to be sure.
5. Save the file
6. Open devtools
7. Refresh the page
8. Go to the network tab. You should see a graphql request in pending state.
9. Right click the request and select copy and copy as curl
10. Use it in a terminal like this

for i in $(seq 1 20);  
do  
<CURL COMMAND> &  
done
  1. Open top or htop on the gitlab server to see all CPUs going to 100%. Also, try to use the site and see that you get a lot of delays.
    The DOS is only up for 1 min, and then the attacker needs to send requests again. But the number of requests is low
Impact

ReDoS takes up CPU and causes resource consumption by a low amount of requests. Can keep an instance inaccessible with about 10 requests a minute.

What is the current bug behavior?

The regexp used to check for email addresses in CODEOWNERS is vulnerable to REDOS

What is the expected correct behavior?

The regexp needs to be rewritten to avoid locking up the Puma threads

Impact

ReDoS takes up CPU and causes resource consumption by a low amount of requests. Can keep an instance inaccessible with about 10 requests a minute.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: