GHSL-2021-098: ReDoS in OpenProject - CVE-2021-32763

Coordinated Disclosure Timeline

• 2021-07-12: Report sent to maintainers
• 2021-07-12: Report acknowledged
• 2021-07-13: Maintainers proposed a patch
• 2021-07-13: Issue was fixed

Summary

A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.

Product

OpenProject

Tested Version

OpenProject 11.3.2

Issue details

The MessagesController class has a quote method that implements the logic behind the Quote button in the discussion forums, and it uses the following regex to strip <pre> tags from the message being quoted (app/controllers/messages_controller.rb#L147):

text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')

The (.|\s) part can match a space character in two ways, so an unterminated <pre> tag containing n spaces will cause Ruby’s regex engine to backtrack to try 2ⁿ states in the NFA. For example:

irb(main):009:0> text = '<pre>                           </pre'
processing time: 0.000026s
=> "<pre>                           </pre"
irb(main):010:0> text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')
processing time: 21.166936s
=> "<pre>                           </pre"

Impact

Denial of Service

Credit

This issue was discovered by @nickrolfe (Nick Rolfe) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com. Please include GHSL-2021-098 in any communication regarding this issue.