[jenkinsci/ghprb-plugin] 9ba203: Fix catastrophic backtracking regex match

Fri, 24 Nov 2017 10:50:24 -0800 

  Branch: refs/heads/Deepomatic-better-github-username-check
  Home:   https://github.com/jenkinsci/ghprb-plugin
  Commit: 9ba2032720619d035474b6893d912afaa4813bbb
      
https://github.com/jenkinsci/ghprb-plugin/commit/9ba2032720619d035474b6893d912afaa4813bbb
  Author: Thomas Riccardi <[email protected]>
  Date:   2017-11-24 (Fri, 24 Nov 2017)

  Changed paths:
    M src/main/java/org/jenkinsci/plugins/ghprb/GhprbTrigger.java

  Log Message:
  -----------
  Fix catastrophic backtracking regex match

`adminlistPattern` has exponential backtracking when an invalid character is 
encountered,
this leads to 
`/job/<name>/descriptorByName/org.jenkinsci.plugins.ghprb.GhprbTrigger/checkAdminlist`
requests never returning, and leaking a java thread working at 100% CPU.

So each load of `/job/<name>/configure` adds +100% CPU to the jenkins
process, at least when the admin list is configured globally.

This is a DoS security risk, although it requires configuration rights
for the attacker.

There is no timeout in the regex, nor at the HTTP level (possibly not
possible).

Fixed the issue using possessive quantifiers.

The github usernames rules are:
- Github username may only contain alphanumeric characters or hyphens.
- Github username cannot have multiple consecutive hyphens.
- Github username cannot begin or end with a hyphen.
- Maximum is 39 characters. (not implemented)

Previous implementation:
- Github username may only contain alphanumeric characters or hyphens.
- Github username cannot begin with a hyphen.


  Commit: 9e8fca0cda907bc2059440930eaa43af2c2d77d3
      
https://github.com/jenkinsci/ghprb-plugin/commit/9e8fca0cda907bc2059440930eaa43af2c2d77d3
  Author: Björn Häuser <[email protected]>
  Date:   2017-11-24 (Fri, 24 Nov 2017)

  Changed paths:
    M CHANGELOG.md
    M src/main/java/org/jenkinsci/plugins/ghprb/GhprbTrigger.java
    M src/test/java/org/jenkinsci/plugins/ghprb/GhprbTriggerTest.java

  Log Message:
  -----------
  Add Tests and changelog entry


Compare: 
https://github.com/jenkinsci/ghprb-plugin/compare/e0492a6f1f9f...9e8fca0cda90

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to