GHSL-2021-100: ReDoS (Regular Expression Denial of Service) in Octobox - CVE-2021-32848

Coordinated Disclosure Timeline

• 2021-07-12: Report sent to maintainers
• 2021-07-12: Report may have bounced
• 2021-07-12: Contacted support@octobox.io to clarify the status of the report
• 2021-10-12: Maintainers contacted about the expiration of the disclosure deadline
• 2021-10-12: Maintainers requested an extension of the disclosure deadline
• 2021-10-18: Maintainers proposed a fix
• 2021-10-24: Maintainers merged the fix

Summary

A user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability.

Product

octobox

Tested Version

7106b30bf0e2b1f715839784df2f3593b6d4bc88

Details

The Ruby on Rails app uses the following regex for parsing search queries (lib/search_parser.rb#L5):

OPERATOR_EXPRESSION = /(\-?\w+):[\ 　]?([\w\p{Han}\p{Katakana}\p{Hiragana}\p{Hangul}ー\.\-,\/]+|(["'])(\\?.)*?\3)/

The (\\?.)*? part makes it vulnerable to ReDoS attacks because there are two ways of matching the text \a. We can repeat that text to create exponentially many paths through the NFA, and then make the end of the string fail to match, so that the regex engine has to backtrack and try all those paths. For example:

irb(main):010:0> OPERATOR_EXPRESSION.match 'a:"\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a'
processing time: 82.879616s

Impact

Denial of Service

CVE

• CVE-2021-32848

Resources

• https://github.com/octobox/octobox/pull/2807

Credit

This issue was discovered by @nickrolfe (Nick Rolfe) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-100 in any communication regarding this issue.