ReDoS issue in the Codeowners reference extractor
HackerOne report #2269023 by joaxcar
on 2023-12-01, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
There exists a ReDoS issue in the Codeowners reference extractor
https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/code_owners/reference_extractor.rb#L11
The Regex looks like this.
EMAIL_REGEXP = /(?<email>([^@\s]+@[^@\s]+(?<!\W)))/
and will time out on long strings ending with an @
character
By sending a small number of requests to the validateCodeownerFile
graphQL query, the instance will start running all CPUs on 100% and cause delays on user requests to the server.
Steps to reproduce
Test this on a self-hosted instance! use a Premium instance
- Log in to https://gitlab.example.com
- Create a new new project
- In the project create a file named
CODEOWNERS
- Add this content in the file
README.md <ZEROS>@
Replace <ZEROS>
with A LOT of zeros. Dont know what is the lower threshold but add like 100 000 to be sure.
5. Save the file
6. Open devtools
7. Refresh the page
8. Go to the network tab. You should see a graphql request in pending
state.
9. Right click the request and select copy
and copy as curl
10. Use it in a terminal like this
for i in $(seq 1 20);
do
<CURL COMMAND> &
done
- Open
top
orhtop
on the gitlab server to see all CPUs going to 100%. Also, try to use the site and see that you get a lot of delays.
The DOS is only up for 1 min, and then the attacker needs to send requests again. But the number of requests is low
Impact
ReDoS takes up CPU and causes resource consumption by a low amount of requests. Can keep an instance inaccessible with about 10 requests a minute.
What is the current bug behavior?
The regexp used to check for email addresses in CODEOWNERS is vulnerable to REDOS
What is the expected correct behavior?
The regexp needs to be rewritten to avoid locking up the Puma threads
Impact
ReDoS takes up CPU and causes resource consumption by a low amount of requests. Can keep an instance inaccessible with about 10 requests a minute.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: