Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Regular Expression in vfsjfilechooser2 #7

Closed
yetingli opened this issue Sep 30, 2020 · 5 comments
Closed

Vulnerable Regular Expression in vfsjfilechooser2 #7

yetingli opened this issue Sep 30, 2020 · 5 comments

Comments

@yetingli
Copy link

Type of Issue
Potential Regex Denial of Service (ReDoS)

Description
The vulnerable regular expression is located in

vfsjfilechooser2/src/main/java/com/googlecode/vfsjfilechooser2/utils/VFSURIValidator.java

Line 235 in 5a5f348

Pattern p_ftp2 = Pattern

The ReDOS vulnerability can be exploited with the following string
ftp://:@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::

You can execute the following code to reproduce ReDos

import com.googlecode.vfsjfilechooser2.utils.VFSURIValidator;

public class Main {
    public static void main(String[] args) {
        VFSURIValidator v = new VFSURIValidator();
        String _uri = "ftp://:@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::";
        System.out.println(v.isValid(_uri));
    }
}

I think you can limit the input length or modify this regex.
@fracpete
Copy link
Owner

This project hasn't been under active development for a number of years (I no longer use it). Propose a patch that mitigates the problem and I'll have a look at it.

@yetingli
Copy link
Author

yetingli commented Oct 6, 2020

This project hasn't been under active development for a number of years (I no longer use it). Propose a patch that mitigates the problem and I'll have a look at it.

I am willing to suggest that you replace the Pattern p_ftp2 (ftp|FTP|sftp|SFTP|http|HTTP|https|HTTPS|webdav|WEBDAV|smb|SMB)://(.+:.+@)*([^:]+?/*)([ ]*:[0-9]+)*([ ]*:)*(/.*) with (ftp|FTP|sftp|SFTP|http|HTTP|https|HTTPS|webdav|WEBDAV|smb|SMB)://([^:@]+:[^:@]+@)*([^:]+?/*)([ ]*:[0-9]+)*([ ]*:)*(/.*)

Similarly, Pattern p_ftp3 can also be modified in this way.

Feel free to contact me if you have any questions on these vulnerability disclosures :).

fracpete added a commit that referenced this issue Oct 6, 2020
@fracpete
incorporated Yeting Li's fix for Potential Regex Denial of Service (R…
9c9f2c3 
…eDoS), see #7

passwords can now also contain special characters (eg :), which have to be URL encoded (ie %3A)
@fracpete
Copy link
Owner

fracpete commented Oct 6, 2020

Thanks for that. Tested and incorporated the fix. Also fixed handling of specials chars in passwords, which need to be URL encoded. Pushed out a new release (0.2.9) to Maven Central.

@fracpete fracpete closed this as completed Oct 6, 2020
@OS-WS
Copy link

OS-WS commented Jun 22, 2021

Hi, Was CVE-2021-29061 fixed?
If so, in what commit/version?

Thanks!!

@fracpete
Copy link
Owner

0.2.9 as it says in the comment before your comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fracpete @yetingli @OS-WS