Import from GitHub allows to execute ReDoS with protected branch

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1862810 by kakashi77 on 2023-02-05, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

Hello,
While I am investingating mining on github import, I found a vulnerability on gitlab.com allowing to execute redos
When importing a github repository, gitlab import the branch protection rules, but there is a problem with the regular expression used

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/github_import/representation/protected_branch.rb#L20
When

          branch_name = branch_protection[:url].match(%r{/branches/(\S{1,255})/protection$})[1]  

This regex takes polynomial time in worst case if input is like url + "branches/".repeat(10000000) + "protection"

Steps to reproduce

(1. any preconditions in the environment) First Set up a proxy server to change the results of protected rule in github.

• First, create a github repository and github access token to import into gitlab and enable proteced branch rule in github.
• You need to set up a proxy server and change the results of the github import. I attached the proxy sever scripts in attachment.
• run ngork http 5000
  so you have to set following values as enviroment variable.

PRIVATE_TOKEN="<your access token in gitlab>"  
PERSONAL_ACCESS_TOKEN="<your access token in github>"  
GITHUB_HOSTNAME="<ngrok url>"  
GITLAB_HOSTNAME="<your selfhost url>"  
GITHUB_OWNER="<github account name>"  
GITHUB_PROJECT_ID= "<project Id for your respository in github>"  
GITHUB_REPOSITORY="<repository name in github>"  

• Run npm install and node app.js

• Send import API to trigger redos

sh request.sh  

• It will call import api for 3 times.
• You can see from the admin screen that the three github_importer:github_import_sage_import_protected_branches jobs are taking a long time to process and are stuck.

Impact

Since you can run it from the API, and by running a large number of APIs at the same time, I beleave you can eventually bring down the service

What is the current bug behavior?

This regex takes polynomial time in worst case

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

System information  
System:		Ubuntu 20.04  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.7p221  
Gem Version:	3.1.6  
Bundler Version:2.3.15  
Rake Version:	13.0.6  
Redis Version:	6.2.8  
Sidekiq Version:6.5.7  
Go Version:	unknown

GitLab information  
Version:	15.7.5-ee  
Revision:	677cf66582b  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	13.8  
URL:		http://gitlab.yukiosaki.me  
HTTP Clone URL:	http://gitlab.yukiosaki.me/some-group/some-project.git  
SSH Clone URL:	git@gitlab.yukiosaki.me:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: 

GitLab Shell  
Version:	14.14.0  
Repository storages:  
- default: 	unix:/var/opt/gitlab/gitaly/gitaly.socket  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  

`

Impact

Since you can run it from the API, and by running a large number of APIs at the same time, I beleave you can eventually bring down the service

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_from_2023-02-05_23-56-17.png
• proxy-github-import.zip
• Screencast_from_2023_02_06__01_06_51_.webm

How To Reproduce

Please add reproducibility information to this section: