Skip to content

Limit ReDOS by checking the length before running the regexp.#25

Open
dlorenc wants to merge 1 commit intowhilp:masterfrom
chainguard-dev:limit
Open

Limit ReDOS by checking the length before running the regexp.#25
dlorenc wants to merge 1 commit intowhilp:masterfrom
chainguard-dev:limit

Conversation

@dlorenc
Copy link

@dlorenc dlorenc commented Nov 30, 2023

Go doesn't support look-ahead assertions so I did this out of the regexp.

@dlorenc
Limit ReDOS by checking the length before running the regexp.
4f4f069 
Go doesn't support look-ahead assertions so I did this out of the regexp.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
@dlorenc
Copy link
Author

dlorenc commented Nov 30, 2023

This attempts to address CVE-2023-46402 and #24

@hectorj2f
Copy link

hectorj2f commented Dec 1, 2023

LGTM

@dlorenc dlorenc mentioned this pull request Dec 3, 2023
Merged
dlorenc added a commit to dlorenc/os that referenced this pull request Dec 3, 2023
@dlorenc
Patch GHSA-3f2q-6294-fmq5 by switching to the forked repo.
e936778 
I forked git-urls to patch the vulnerability. I submitted a patch upstream, but haven't
heard back from the maintainer yet: whilp/git-urls#25

This switches go packages that use this to my fork.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
dlorenc added a commit to dlorenc/os that referenced this pull request Dec 3, 2023
@dlorenc
Patch GHSA-3f2q-6294-fmq5 by switching to the forked repo.
41413f9 
I forked git-urls to patch the vulnerability. I submitted a patch upstream, but haven't
heard back from the maintainer yet: whilp/git-urls#25

This switches go packages that use this to my fork.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
dlorenc added a commit to dlorenc/os that referenced this pull request Dec 3, 2023
@dlorenc
Patch GHSA-3f2q-6294-fmq5 by switching to the forked repo.
0bd53fd 
I forked git-urls to patch the vulnerability. I submitted a patch upstream, but haven't
heard back from the maintainer yet: whilp/git-urls#25

This switches go packages that use this to my fork.

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
@dilipkrai
Copy link

dilipkrai commented Jan 10, 2024

Tagging previous commiter for attention. @whilp @alokmenghrajani @isaaguilar
Would it be possible to merge the PR and create a new release tag.

alokmenghrajani
alokmenghrajani reviewed Jan 11, 2024
View reviewed changes
urls.go
"strings"
)

// Max length of the scpUrl to prevent reDOS attacks
Copy link
Contributor

@alokmenghrajani alokmenghrajani Jan 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should link to https://nvd.nist.gov/vuln/detail/CVE-2023-46402 and https://gist.github.com/6en6ar/7c2424c93e7fbf2b6fc44e7fb9acb95d in this comment so people reading the code in the future have additional context.

I'm also suspicious that Go's regexp library would be vulnerable to a ReDOS in the first place. The underlying code implements re2 and the package comment says: The regexp implementation provided by this package is guaranteed to run in time linear in the size of the input. (This is a property not guaranteed by most open source implementations of regular expressions.) . Something seems off with this CVE.

alokmenghrajani
alokmenghrajani approved these changes Jan 11, 2024
View reviewed changes
Copy link
Contributor

@alokmenghrajani alokmenghrajani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm but I'm not the owner of this repo.

@miselico miselico mentioned this pull request Jan 21, 2024
Closed
@mojotx
Copy link

mojotx commented Feb 11, 2024

I implemented something similar (see #27) except I made my max len 8000, and it is still very performant.

@mojotx mojotx mentioned this pull request Feb 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@alokmenghrajani alokmenghrajani alokmenghrajani approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dlorenc @hectorj2f @dilipkrai @mojotx @alokmenghrajani