[jenkinsci/ghprb-plugin] 5453f8: Fix catastrophic backtracking regex match

Sat, 25 Nov 2017 17:34:04 -0800 

  Branch: refs/heads/master
  Home:   https://github.com/jenkinsci/ghprb-plugin
  Commit: 5453f8e1f63f3d3f0685a988a02345fb46d32465
      
https://github.com/jenkinsci/ghprb-plugin/commit/5453f8e1f63f3d3f0685a988a02345fb46d32465
  Author: Thomas Riccardi <[email protected]>
  Date:   2017-11-25 (Sat, 25 Nov 2017)

  Changed paths:
    M src/main/java/org/jenkinsci/plugins/ghprb/GhprbTrigger.java

  Log Message:
  -----------
  Fix catastrophic backtracking regex match

`adminlistPattern` has exponential backtracking when an invalid character is 
encountered,
this leads to 
`/job/<name>/descriptorByName/org.jenkinsci.plugins.ghprb.GhprbTrigger/checkAdminlist`
requests never returning, and leaking a java thread working at 100% CPU.

So each load of `/job/<name>/configure` adds +100% CPU to the jenkins
process, at least when the admin list is configured globally.

This is a DoS security risk, although it requires configuration rights
for the attacker.

There is no timeout in the regex, nor at the HTTP level (possibly not
possible).

Fixed the issue using possessive quantifiers.

The github usernames rules are:
- Github username may only contain alphanumeric characters or hyphens.
- Github username cannot have multiple consecutive hyphens.
- Github username cannot begin or end with a hyphen.
- Maximum is 39 characters. (not implemented)

Previous implementation:
- Github username may only contain alphanumeric characters or hyphens.
- Github username cannot begin with a hyphen.


  Commit: aae24c0845b556e001942d88a161399fe54ca0f4
      
https://github.com/jenkinsci/ghprb-plugin/commit/aae24c0845b556e001942d88a161399fe54ca0f4
  Author: Björn Häuser <[email protected]>
  Date:   2017-11-25 (Sat, 25 Nov 2017)

  Changed paths:
    M CHANGELOG.md
    M src/test/java/org/jenkinsci/plugins/ghprb/GhprbTriggerTest.java

  Log Message:
  -----------
  Add Tests and changelog entry


  Commit: c0a6ea78c04306ff75a92a4c67c4ee70d4d5537f
      
https://github.com/jenkinsci/ghprb-plugin/commit/c0a6ea78c04306ff75a92a4c67c4ee70d4d5537f
  Author: Sam Gleske <[email protected]>
  Date:   2017-11-25 (Sat, 25 Nov 2017)

  Changed paths:
    M CHANGELOG.md
    M src/main/java/org/jenkinsci/plugins/ghprb/GhprbTrigger.java
    M src/test/java/org/jenkinsci/plugins/ghprb/GhprbTriggerTest.java

  Log Message:
  -----------
  Merge pull request #597 from jenkinsci/Deepomatic-better-github-username-check

Better GitHub username check


Compare: 
https://github.com/jenkinsci/ghprb-plugin/compare/19ac57913bcb...c0a6ea78c043

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to