Coordinated Disclosure Timeline
- 2021-07-12: Report sent to maintainers
- 2021-07-12: Report may have bounced
- 2021-07-12: Contacted support@octobox.io to clarify the status of the report
- 2021-10-12: Maintainers contacted about the expiration of the disclosure deadline
- 2021-10-12: Maintainers requested an extension of the disclosure deadline
- 2021-10-18: Maintainers proposed a fix
- 2021-10-24: Maintainers merged the fix
Summary
A user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability.
Product
octobox
Tested Version
7106b30bf0e2b1f715839784df2f3593b6d4bc88
Details
The Ruby on Rails app uses the following regex for parsing search queries (lib/search_parser.rb#L5):
OPERATOR_EXPRESSION = /(\-?\w+):[\ ]?([\w\p{Han}\p{Katakana}\p{Hiragana}\p{Hangul}ー\.\-,\/]+|(["'])(\\?.)*?\3)/
The (\\?.)*? part makes it vulnerable to ReDoS attacks because there are two ways of matching the text \a. We can repeat that text to create exponentially many paths through the NFA, and then make the end of the string fail to match, so that the regex engine has to backtrack and try all those paths. For example:
irb(main):010:0> OPERATOR_EXPRESSION.match 'a:"\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a'
processing time: 82.879616s
Impact
Denial of Service
CVE
- CVE-2021-32848
Resources
- https://github.com/octobox/octobox/pull/2807
Credit
This issue was discovered by @nickrolfe (Nick Rolfe) from the GitHub CodeQL team.
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-100 in any communication regarding this issue.