FELIX-6843: Fix ReDoS vulnerability in grep command#507
Conversation
|
Similar to my PR#501 build failures (#501 (comment)), here also the Maven dependency |
|
I am curious why a fix to the gogo grep command requires changes to the Felix framework? And do other framework implementations need to be concerned with the changes required here to fix the gogo grep command when gogo is installed? |
Thanks for reviewing. |
| public TimeoutCharSequence(CharSequence seq, long timeoutMs) | ||
| { | ||
| this.seq = seq; | ||
| this.timeoutTime = System.currentTimeMillis() + timeoutMs; |
There was a problem hiding this comment.
"in theory" this System.currentTimeMillis() + timeoutMs; could overun and lead to timeoutTime become negative which would cause checkTimeout() to always throw.
e.g. if somebody passes timeoutMs = Long.MAX_VALUE to mean "no timeout"
|
Thanks for catching this. I've switched to System.nanoTime(), added overflow protection for timeout conversion, and propagated the timing state to subsequences to avoid drift. |
3c2304f to
f2b244e
Compare
Keep this PR limited to the gogo grep ReDoS fix; the TCK dependency alignment was unrelated and is reverted.
|
Circling back on the framework question. When I reverted the framework source changes earlier I left the framework.tck dependency bump in by accident, so the diff still looked like it reached into framework. I've now dropped those tck.bndrun/pom.xml changes too, so the PR is confined to the two gogo Posix classes plus the jline test. On whether other framework implementations need to be concerned: no. The change sits entirely inside gogo's grep command, wrapping the user-supplied line in a bounded CharSequence that aborts matching once a time budget is exceeded. Nothing in the framework or in how gogo gets installed is affected. PosixTest passes locally, all 9 cases including the ReDoS timeout ones. |
This PR fixes a ReDoS vulnerability in the grep command for both gogo/shell and gogo/jline.
The fix adds timeout protection for user-supplied regular expressions to prevent catastrophic backtracking patterns such as (a+)+ from causing excessive CPU usage or hanging the process.
A regression test (testGrepReDosTimeout) was also added to verify the fix.