Headline

CVE-2023-33290: git-url-parse

The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python).

1 year ago

CVE

Open in Source

#mac #dos #git #auth #ssh #bitbucket

11 releases

0.4.4

Nov 5, 2022

0.4.2

May 30, 2022

0.4.0

Nov 14, 2021

0.3.1

Jan 27, 2021

0.1.0

Feb 6, 2020

#169 in Parser implementations

Download history 1069/week @ 2023-02-20 1235/week @ 2023-02-27 1219/week @ 2023-03-06 911/week @ 2023-03-13 815/week @ 2023-03-20 1040/week @ 2023-03-27 706/week @ 2023-04-03 853/week @ 2023-04-10 788/week @ 2023-04-17 1003/week @ 2023-04-24 999/week @ 2023-05-01 580/week @ 2023-05-08 858/week @ 2023-05-15 1002/week @ 2023-05-22 1177/week @ 2023-05-29 1208/week @ 2023-06-05

4,256 downloads per month
Used in 16 crates (15 directly)

MIT license

22KB
292 lines

git-url-parse

Supports common protocols as specified by the Pro Git book

See: 4.1 Git on the Server - The Protocols

Supports parsing SSH/HTTPS repo urls for:

Github
Bitbucket
Azure Devops

See tests/parse.rs for expected output for a variety of inputs.

URLs that use the ssh:// protocol (implicitly or explicitly) undergo a small normalization process in order to be parsed.

Internally uses Url::parse() from the Url crate after normalization.

Examples****Run example with debug output

$ RUST_LOG=git_url_parse cargo run --example multi
$ RUST_LOG=git_url_parse cargo run --example trim_auth

Simple usage and output

$ cargo run --example readme


use git_url_parse::GitUrl;

fn main() {
    println!("SSH: {:#?}", GitUrl::parse("[email protected]:tjtelan/git-url-parse-rs.git"));
    println!("HTTPS: {:#?}", GitUrl::parse("https://github.com/tjtelan/git-url-parse-rs"));
}

Example Output

SSH: Ok(
    GitUrl {
        host: Some(
            "github.com",
        ),
        name: "git-url-parse-rs",
        owner: Some(
            "tjtelan",
        ),
        organization: None,
        fullname: "tjtelan/git-url-parse-rs",
        scheme: Ssh,
        user: Some(
            "git",
        ),
        token: None,
        port: None,
        path: "tjtelan/git-url-parse-rs.git",
        git_suffix: true,
        scheme_prefix: false,
    },
)
HTTPS: Ok(
    GitUrl {
        host: Some(
            "github.com",
        ),
        name: "git-url-parse-rs",
        owner: Some(
            "tjtelan",
        ),
        organization: None,
        fullname: "tjtelan/git-url-parse-rs",
        scheme: Https,
        user: None,
        token: None,
        port: None,
        path: "/tjtelan/git-url-parse-rs",
        git_suffix: false,
        scheme_prefix: true,
    },
)

Dependencies

~9.5MB
~222K SLoC

color-eyre 0.6
regex
strum
strum_macros
tracing
url
dev env_logger 0.9

The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to `normalize_url` in `lib.rs`, a similar issue to CVE-2023-32758 (Python).

1 year ago

ghsa

Open in Source

#dos #git