Backend: ReDoS in CI interpolation (fix bypass)
HackerOne report #2358689 by joaxcar on 2024-02-08, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Bypass of fix for CVE-2023-6386
The 16.8.2 security release contained a fix for a ReDoS issue in /lib/gitlab/ci/config/interpolation/block.rb adding this regexp
PATTERN = /(?<block>\$\[\[\s*(?<data>\S{1}.*?\S{1})\s*\]\])/ This fixes the previous issue but still allows for catastrophic backtracking. Given a string of this form
']$[['.repeat(100000) + ']' The regex will blow up. Causing the same denial of service as prior the fix
Steps to reproduce
Set up a test Gitlab instance
- Log in to the gitlab instance
- Create a project
- Upload the two files added to this report into the project
- Open devtools
- Go to https://gitlab.com/GROUP/PROJECT/-/ci/editor?branch_name=main
- You should see a GraphQL call getting stuck and failing. This request can be copied and run X times to exhaust the server
Impact
ReDos exhausting server resources
What is the current bug behavior?
The fixed regexp is still vulnerable to catastrophic backtracking
What is the expected correct behavior?
The regexp should not allow catastrophic backtracking
Impact
ReDos exhausting server resources
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Technical Details
Added by @avielle during refinement.
- This vulnerability doesn't exist on GitLab
masteranymore because of the Ruby 3.2 upgrade. Ruby 3.2 has builtin ReDoS prevent: https://reinteractive.com/articles/regex-improvements-in-the-new-ruby-3-2 - Despite that, we should still fix the vulnerability because the backports will apply to GitLab versions with Ruby 3.1
- We should try using
Gitlab::UntrustedRegexto fix the vulnerability. This may require rewriting the RegEx to avoid backtracking (hence the weight 3). More details in https://gitlab.com/gitlab-org/gitlab/-/issues/433520#note_1791372534