Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit ReDOS by checking the length before running the regexp. #25

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Limit ReDOS by checking the length before running the regexp. #25

wants to merge 1 commit into from

Conversation

dlorenc
Copy link

@dlorenc dlorenc commented Nov 30, 2023

Go doesn't support look-ahead assertions so I did this out of the regexp.

@dlorenc
Limit ReDOS by checking the length before running the regexp.
4f4f069 
Go doesn't support look-ahead assertions so I did this out of the regexp.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
@dlorenc
Copy link
Author

dlorenc commented Nov 30, 2023

This attempts to address CVE-2023-46402 and #24

@hectorj2f
Copy link

LGTM

@dlorenc dlorenc mentioned this pull request Dec 3, 2023
Merged
dlorenc added a commit to dlorenc/os that referenced this pull request Dec 3, 2023
@dlorenc
Patch GHSA-3f2q-6294-fmq5 by switching to the forked repo.
e936778 
I forked git-urls to patch the vulnerability. I submitted a patch upstream, but haven't
heard back from the maintainer yet: whilp/git-urls#25

This switches go packages that use this to my fork.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
dlorenc added a commit to dlorenc/os that referenced this pull request Dec 3, 2023
@dlorenc
Patch GHSA-3f2q-6294-fmq5 by switching to the forked repo.
41413f9 
I forked git-urls to patch the vulnerability. I submitted a patch upstream, but haven't
heard back from the maintainer yet: whilp/git-urls#25

This switches go packages that use this to my fork.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
dlorenc added a commit to dlorenc/os that referenced this pull request Dec 3, 2023
@dlorenc
Patch GHSA-3f2q-6294-fmq5 by switching to the forked repo.
0bd53fd 
I forked git-urls to patch the vulnerability. I submitted a patch upstream, but haven't
heard back from the maintainer yet: whilp/git-urls#25

This switches go packages that use this to my fork.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
@dilipkrai
Copy link

Tagging previous commiter for attention. @whilp @alokmenghrajani @isaaguilar
Would it be possible to merge the PR and create a new release tag.

alokmenghrajani
alokmenghrajani reviewed Jan 11, 2024
View reviewed changes
urls.go
@@ -30,6 +30,9 @@ import (
"strings"
)

// Max length of the scpUrl to prevent reDOS attacks
Copy link
Contributor

@alokmenghrajani alokmenghrajani Jan 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should link to https://nvd.nist.gov/vuln/detail/CVE-2023-46402 and https://gist.github.com/6en6ar/7c2424c93e7fbf2b6fc44e7fb9acb95d in this comment so people reading the code in the future have additional context.

I'm also suspicious that Go's regexp library would be vulnerable to a ReDOS in the first place. The underlying code implements re2 and the package comment says: The regexp implementation provided by this package is guaranteed to run in time linear in the size of the input. (This is a property not guaranteed by most open source implementations of regular expressions.) . Something seems off with this CVE.

alokmenghrajani
alokmenghrajani approved these changes Jan 11, 2024
View reviewed changes
Copy link
Contributor

@alokmenghrajani alokmenghrajani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm but I'm not the owner of this repo.

@miselico miselico mentioned this pull request Jan 21, 2024
Open
@mojotx
Copy link

mojotx commented Feb 11, 2024

I implemented something similar (see #27) except I made my max len 8000, and it is still very performant.

@mojotx mojotx mentioned this pull request Feb 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alokmenghrajani alokmenghrajani alokmenghrajani approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dlorenc @hectorj2f @dilipkrai @mojotx @alokmenghrajani