skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
August 3, 2021

GHSL-2021-098: ReDoS in OpenProject - CVE-2021-32763

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.

Product

OpenProject

Tested Version

OpenProject 11.3.2

Issue details

The MessagesController class has a quote method that implements the logic behind the Quote button in the discussion forums, and it uses the following regex to strip <pre> tags from the message being quoted (app/controllers/messages_controller.rb#L147):

text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')

The (.|\s) part can match a space character in two ways, so an unterminated <pre> tag containing n spaces will cause Ruby’s regex engine to backtrack to try 2n states in the NFA. For example:

irb(main):009:0> text = '<pre>                           </pre'
processing time: 0.000026s
=> "<pre>                           </pre"
irb(main):010:0> text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')
processing time: 21.166936s
=> "<pre>                           </pre"

Impact

Denial of Service

Credit

This issue was discovered by @nickrolfe (Nick Rolfe) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com. Please include GHSL-2021-098 in any communication regarding this issue.