Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Artifact tag matcher: Curb complexity when parsing regexps from user input #3836

Merged
merged 2 commits into from
Jul 10, 2024
Merged

Artifact tag matcher: Curb complexity when parsing regexps from user input #3836

merged 2 commits into from
Jul 10, 2024

Conversation

puerco
Copy link
Contributor

@puerco puerco commented Jul 10, 2024

Summary

This PR adds a length limit to the regular expressions we parse from user input to curve the complexity Minder
handles when compiling them to build a tag matcher.

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@puerco
Mitigate ReDos in artifact tag matcher
878a78f 
This commit adds a limit to the lengrh of regular expressions we take
from user input to set a length limit and curve the complexity Minder
handles when compiling them.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Add test for artifact.BuildFilter
75e7448 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco puerco requested a review from a team as a code owner July 10, 2024 20:44
blkt
blkt approved these changes Jul 10, 2024
View reviewed changes
internal/providers/artifact/versionsfilter.go
@@ -47,6 +47,9 @@ func BuildFilter(tags []string, tagRegex string) (*filter, error) {

// no tags specified, but a regex was, compile it
if tagRegex != "" {
if len(tagRegex) > 512 {
return nil, fmt.Errorf("tag regular expressions are limited to 512 characters")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (non-blocking): it could be useful to define this error statically so that upper layers can react accordingly, e.g. by returning a 400 or 409 in case this codepath is reachable from a handler.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, makes sense. I'll surface it in a follow-up, thanks!

@coveralls
Copy link

Coverage Status

coverage: 53.087% (-0.003%) from 53.09%
when pulling 75e7448 on puerco:regex-filter-limie
into 87416ec on stacklok:main.

@puerco puerco merged commit e77e142 into mindersec:main Jul 10, 2024
22 checks passed
dmjb pushed a commit that referenced this pull request Jul 12, 2024
@puerco @dmjb
Artifact tag matcher: Curb complexity when parsing regexps from user …
04bac11 
…input (#3836)

* Mitigate ReDos in artifact tag matcher

This commit adds a limit to the lengrh of regular expressions we take
from user input to set a length limit and curve the complexity Minder
handles when compiling them.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add test for artifact.BuildFilter

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blkt blkt blkt approved these changes

@meganbruce meganbruce meganbruce approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@puerco @coveralls @blkt @meganbruce