language: reject excessively large Accept-Language strings

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits. Thanks to the OSS-Fuzz project for discovering this issue and to Adam Korczynski (ADA Logics) for writing the fuzz case and for reporting the issue. Fixes CVE-2022-32149 Fixes golang/go#56152 Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/text/+/442235 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]>
golang · Oct 11, 2022 · 434eadc · 434eadc
1 parent 23407e7
commit 434eadc
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/language/parse.go b/language/parse.go
@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
 }
 
 var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
+var errTagListTooLarge = errors.New("tag list exceeds max length")
 
 // ParseAcceptLanguage parses the contents of an Accept-Language header as
 // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
 		}
 	}()
 
+	if strings.Count(s, "-") > 1000 {
+		return nil, nil, errTagListTooLarge
+	}
+
 	var entry string
 	for s != "" {
 		if entry, s = split(s, ','); entry == "" {

diff --git a/language/parse_test.go b/language/parse_test.go
@@ -394,3 +394,16 @@ func TestParseAcceptLanguage(t *testing.T) {
 		}
 	}
 }
+
+func TestParseAcceptLanguageTooBig(t *testing.T) {
+	s := strings.Repeat("en-x-a-", 333)
+	_, _, err := ParseAcceptLanguage(s)
+	if err != language.ErrSyntax {
+		t.Errorf("ParseAcceptLanguage() unexpected error: got %v, want %v", err, language.ErrSyntax)
+	}
+	s += "en-x-a"
+	_, _, err = ParseAcceptLanguage(s)
+	if err != errTagListTooLarge {
+		t.Errorf("ParseAcceptLanguage() unexpected error: got %v, want %v", err, errTagListTooLarge)
+	}
+}