Regular Expression DoS vulnerability in the gedit3 plugin

[yinxiL]

Regular Expression DoS vulnerability in the gedit3 plugin

We are working on the ReDoS problem and detected two vulnerable regexes from your gedit3 plugin code.

Vulnerable regex 1:
.+(<.+>)+([0-9]+)(<.+>)+.* in link
It takes forever for the regex to match the string
"\b<\b>0<\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><><\b><>\n"
We suggest you change the structure (<.+>)+.*, since "." can accept "<" and ">".

Vulnerable regex 2:
</?[\w:-]+(?:\s+[\w-:]+(?:\s*=\s*(?:(?:"[^"]")|(?:'[^\']')|[^>\s]+))?)\s(/?)>$
in link and link
This vulnerability can be triggered by
"<- -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\" -=\"\"\b"
Both \s+[\w\-:]+\s*=\s*"[^"]*" and \s+[\w\-:]+\s*=\s*[^>\s]+ can match " -=\"\"", we suggest you to change (?:"[^"]*") since this branch is mainly included in [^>\s]+.

We didn’t create a pull request because we're not sure if these cases are possible to take place in your program, we also do not understand the functionality of these regexes as you do. Thank you for your understanding.

[abergmann]

CVE-2020-23469 was assigned to this issue.