Coordinated Disclosure Timeline
- 2021-07-12: Report sent to maintainers
- 2021-07-12: Report acknowledged
- 2021-07-13: Maintainers proposed a patch
- 2021-07-13: Issue was fixed
Summary
A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.
Product
OpenProject
Tested Version
OpenProject 11.3.2
Issue details
The MessagesController class has a quote method that implements the logic behind the Quote button in the discussion forums, and it uses the following regex to strip <pre> tags from the message being quoted (app/controllers/messages_controller.rb#L147):
text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')
The (.|\s) part can match a space character in two ways, so an unterminated <pre> tag containing n spaces will cause Ruby’s regex engine to backtrack to try 2n states in the NFA. For example:
irb(main):009:0> text = '<pre> </pre'
processing time: 0.000026s
=> "<pre> </pre"
irb(main):010:0> text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')
processing time: 21.166936s
=> "<pre> </pre"
Impact
Denial of Service
Credit
This issue was discovered by @nickrolfe (Nick Rolfe) from the GitHub CodeQL team.
Contact
You can contact the GHSL team at securitylab@github.com. Please include GHSL-2021-098 in any communication regarding this issue.