Denial of Service in chatwoot/chatwoot
Dec 6th 2021
The extract_reply function (https://github.com/chatwoot/chatwoot/blob/a0ffefad717b632269883863c27242bb97d3b66d/app/presenters/mail_presenter.rb#L105) is highly inefficient on HTML emails. A legitimate LinkedIn email has 20kb of HTML content which takes a minute or two to process through that function, and on the SaaS site caused undefined behavior such as these emails being delivered with a long delay or multiple times (probably as a result of the Sidekiq worker crashing). An attacker would be able to exploit this to clog up all the workers on the SaaS platform and degrade queue-dependent functionality for everyone.
As a solution tweaking the regexes would work but I suggest scrapping the "homemade" approach and instead using the 'html2text' gem to convert to text and then running the text through the 'email_reply_parser' gem (used by GitHub themselves) to extract the reply out of the text content. I have implemented this solution on my local version and the problem goes away.
I can provide the specific payload that triggered the bug but honestly this does not require any malicious activity, a legitimate LinkedIn notification email triggered it so I'm pretty sure you can just take any random HTML page in the 10kb range as a test.