<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=393041) </details> <!--IssueSummary end--> # :warning: Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror. **[HackerOne report #1862810](https://hackerone.com/reports/1862810)** by `kakashi77` on 2023-02-05, assigned to @cmaxim: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hello, While I am investingating mining on github import, I found a vulnerability on gitlab.com allowing to execute redos When importing a github repository, gitlab import the branch protection rules, but there is a problem with the regular expression used https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/github_import/representation/protected_branch.rb#L20 When ```ruby branch_name = branch_protection[:url].match(%r{/branches/(\S{1,255})/protection$})[1] ``` This regex takes polynomial time in worst case if input is like `url + "branches/".repeat(10000000) + "protection"` ##### Steps to reproduce (1. any preconditions in the environment) First Set up a proxy server to change the results of protected rule in github. * First, create a github repository and github access token to import into gitlab and enable proteced branch rule in github. * You need to set up a proxy server and change the results of the github import. I attached the proxy sever scripts in attachment. * run `ngork http 5000` so you have to set following values as enviroment variable. ``` PRIVATE_TOKEN="<your access token in gitlab>" PERSONAL_ACCESS_TOKEN="<your access token in github>" GITHUB_HOSTNAME="<ngrok url>" GITLAB_HOSTNAME="<your selfhost url>" GITHUB_OWNER="<github account name>" GITHUB_PROJECT_ID= "<project Id for your respository in github>" GITHUB_REPOSITORY="<repository name in github>" ``` * Run `npm install` and `node app.js` * Send import API to trigger redos ``` sh request.sh ``` * It will call import api for 3 times. * You can see from the admin screen that the three github_importer:github_import_sage_import_protected_branches jobs are taking a long time to process and are stuck. ##### Impact Since you can run it from the API, and by running a large number of APIs at the same time, I beleave you can eventually bring down the service ##### What is the current *bug* behavior? This regex takes polynomial time in worst case ##### Output of checks (If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com) ###### Results of GitLab environment info ``` System information System: Ubuntu 20.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.7p221 Gem Version: 3.1.6 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.8 Sidekiq Version:6.5.7 Go Version: unknown GitLab information Version: 15.7.5-ee Revision: 677cf66582b Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 13.8 URL: http://gitlab.yukiosaki.me HTTP Clone URL: http://gitlab.yukiosaki.me/some-group/some-project.git SSH Clone URL: git@gitlab.yukiosaki.me:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.14.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell ``` ` #### Impact Since you can run it from the API, and by running a large number of APIs at the same time, I beleave you can eventually bring down the service ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_from_2023-02-05_23-56-17.png](https://h1.sec.gitlab.net/a/b31df030-623f-48a9-9413-e19a5b8f4b61/Screenshot_from_2023-02-05_23-56-17.png) * [proxy-github-import.zip](https://h1.sec.gitlab.net/a/e0d0520d-19f2-48d9-b78f-8dbfe55e54fc/proxy-github-import.zip) * [Screencast_from_2023_02_06__01_06_51_.webm](https://h1.sec.gitlab.net/a/80dc5a3b-a6a7-4f54-98e9-fbee256246d3/Screencast_from_2023_02_06__01_06_51_.webm) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues