CVE-2021-38244: [SECURITY] Denial of service because of unsafe regex processing · Issue #8680 · cBioPortal/cbioportal

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Denial of service because of unsafe regex processing #8680

Closed

edvraa opened this issue

Jun 10, 2021

· 10 comments

Comments

Copy link

Member

inodb commented Jun 15, 2021

Copy link

Member

inodb commented Jun 15, 2021

Thanks for reporting! I don’t think this code is used anymore actually? Maybe we can delete it?

Hi,
Do you plan to release a GitHub security advisory and/or request CVE number?

Oh, did you just close the issue without fixing the code? Even if the parameters are not used the code is still callable. Do I miss something?

I thought since the issue was so brutally closed without explanation maybe my code analysis is wrong and it is not expoitable. Thus I have followed the instructions from https://docs.cbioportal.org/2.1.1-deploy-with-docker-recommended/docker and ran a local instance of cbioportal in container. I have a proof of concept when just a single request makes server cpu to consume 100% indefinetely. Please create a security advisory where you could invite me and discuss it in private if you have any questions.

It makes me sad that such a noble project makes it hard to responsibly disclose a security issue that may potentially lead to Denial of Service. Please respond in 24 hours.

Copy link

Member

jjgao commented Jul 15, 2021 • Loading

@edvraa Thanks for reporting this. The code is not being used in production anymore. Also, we planned to retire both core and portal modules once all dependencies are removed (cBioPortal/icebox#161), so at this moment, we will not invest time fixing issues in these two modules that will not be running in production.

Copy link

Author

edvraa commented Jul 15, 2021 • Loading

@jjgao The question is not if it is used or not. Single request to http://cbioportal.org/ProteinArraySignificanceTest.json?heat_map=censored&gene=censored&alteration=censored will make the web server consume 100% CPU. Multiple requests like this may potentially take down the server. Since it is not used, commenting out the function or disabling the route sounds as easy fix, right?

@edvraa thanks for reporting this! The endpoint has now been deleted in master.

We release frequently and it will be in the next one.