skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
November 24, 2021

GHSL-2021-100: ReDoS (Regular Expression Denial of Service) in Octobox - CVE-2021-32848

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

A user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability.

Product

octobox

Tested Version

7106b30bf0e2b1f715839784df2f3593b6d4bc88

Details

The Ruby on Rails app uses the following regex for parsing search queries (lib/search_parser.rb#L5):

OPERATOR_EXPRESSION = /(\-?\w+):[\  ]?([\w\p{Han}\p{Katakana}\p{Hiragana}\p{Hangul}ー\.\-,\/]+|(["'])(\\?.)*?\3)/

The (\\?.)*? part makes it vulnerable to ReDoS attacks because there are two ways of matching the text \a. We can repeat that text to create exponentially many paths through the NFA, and then make the end of the string fail to match, so that the regex engine has to backtrack and try all those paths. For example:

irb(main):010:0> OPERATOR_EXPRESSION.match 'a:"\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a'
processing time: 82.879616s

Impact

Denial of Service

CVE

Resources

Credit

This issue was discovered by @nickrolfe (Nick Rolfe) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-100 in any communication regarding this issue.