Skip to content

Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql #5613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 6, 2021
Merged

Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql #5613

merged 1 commit into from
Apr 6, 2021

Conversation

hmakholm
Copy link
Contributor

@hmakholm hmakholm commented Apr 6, 2021

The sub-regex (\s|.)* aims to capture arbitrary string content (in contrast to .* which doesn't match newlines), but it is unsafe, since non-newline whitespace can match both alternatives.

This caused an evaluator crash in the wild.

Replace with [\s\S]*, which matches everything in a safe way.

@hmakholm
Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
2d615ef 
The sub-regex `(\s|.)*` aims to capture arbitrary string content
(in contrast to `.*` which doesn't match newlines), but it is
unsafe, since non-newline whitespace can match both alternatives.

This caused an evaluator crash in the wild.

Replace with `[\s\S]*`, which matches everything in a safe way.
@hmakholm hmakholm added the C++ label Apr 6, 2021
@hmakholm hmakholm requested a review from a team as a code owner April 6, 2021 18:15
@rdmarsh2
Copy link
Contributor

rdmarsh2 commented Apr 6, 2021

Looks good to me, but do we need a change note for this?

@hmakholm
Copy link
Contributor Author

hmakholm commented Apr 6, 2021

do we need a change note for this?

My immediate gut feeling is no. (But that isn't my decision).

I think the problem only triggers for codebases that contain very long string literals with a lot of whitespace in them. So it's a fix for a quite rare failure, which shouldn't have any effects other than this query no longer crashes QL ...

@rdmarsh2 rdmarsh2 added the no-change-note-required This PR does not need a change note label Apr 6, 2021
@rdmarsh2 rdmarsh2 merged commit e22ec50 into main Apr 6, 2021
@rdmarsh2 rdmarsh2 deleted the hmakholm/pr/fix-redos branch April 6, 2021 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rdmarsh2 rdmarsh2 rdmarsh2 approved these changes

Assignees
No one assigned
Labels
C++ no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hmakholm @rdmarsh2