ReDoS issue in the Codeowners reference extractor (#435036) · Issues · GitLab.org / GitLab

ReDoS issue in the Codeowners reference extractor

:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2269023](https://hackerone.com/reports/2269023)** by `joaxcar` on 2023-12-01, assigned to @cmaxim: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary There exists a ReDoS issue in the Codeowners reference extractor https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/code_owners/reference_extractor.rb#L11 The Regex looks like this. ``` EMAIL_REGEXP = /(?<email>([^@\s]+@[^@\s]+(?<!\W)))/ ``` and will time out on long strings ending with an` @` character ![Screenshot_2023-12-01_at_14.25.22.png](https://h1.sec.gitlab.net/a/2ece3f77-c361-4286-a0ae-fc0d9e18f462/Screenshot_2023-12-01_at_14.25.22.png) ![Screenshot_2023-12-01_at_14.26.05.png](https://h1.sec.gitlab.net/a/9ad08645-b129-4f04-82ea-840cbf123233/Screenshot_2023-12-01_at_14.26.05.png) By sending a small number of requests to the `validateCodeownerFile` graphQL query, the instance will start running all CPUs on 100% and cause delays on user requests to the server. ##### Steps to reproduce Test this on a self-hosted instance! use a Premium instance 1. Log in to https://gitlab.example.com 2. Create a new new project 3. In the project create a file named `CODEOWNERS` 4. Add this content in the file ``` README.md <ZEROS>@ ``` Replace `<ZEROS>`with A LOT of zeros. Dont know what is the lower threshold but add like 100 000 to be sure. 5. Save the file 6. Open devtools 7. Refresh the page 8. Go to the network tab. You should see a graphql request in `pending` state. 9. Right click the request and select `copy` and `copy as curl` 10. Use it in a terminal like this ```bash for i in $(seq 1 20); do <CURL COMMAND> & done ``` 11. Open `top` or `htop` on the gitlab server to see all CPUs going to 100%. Also, try to use the site and see that you get a lot of delays. The DOS is only up for 1 min, and then the attacker needs to send requests again. But the number of requests is low ##### Impact ReDoS takes up CPU and causes resource consumption by a low amount of requests. Can keep an instance inaccessible with about 10 requests a minute. ##### What is the current bug behavior? The regexp used to check for email addresses in CODEOWNERS is vulnerable to REDOS ##### What is the expected correct behavior? The regexp needs to be rewritten to avoid locking up the Puma threads #### Impact ReDoS takes up CPU and causes resource consumption by a low amount of requests. Can keep an instance inaccessible with about 10 requests a minute. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2023-12-01_at_14.25.22.png](https://h1.sec.gitlab.net/a/2ece3f77-c361-4286-a0ae-fc0d9e18f462/Screenshot_2023-12-01_at_14.25.22.png) * [Screenshot_2023-12-01_at_14.26.05.png](https://h1.sec.gitlab.net/a/9ad08645-b129-4f04-82ea-840cbf123233/Screenshot_2023-12-01_at_14.26.05.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue