paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2d303c1bb5f538d17dc3d9134bc8858bdece781
zulip/frontend_tests/puppeteer_tests/realm-linkifier.ts
Alex Vandiver e2d303c1bb CVE-2021-41115: Use re2 for user-supplied linkifier patterns. 
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar.  The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.

Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed.  As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.

Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.

A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.

The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-10-04 17:24:37 +00:00

143 lines
5.4 KiB
TypeScript
Raw Blame History

import {strict as assert} from "assert";
import type {Page} from "puppeteer";
import common from "../puppeteer_lib/common";
async function test_add_linkifier(page: Page): Promise<void> {
await page.waitForSelector(".admin-linkifier-form", {visible: true});
await common.fill_form(page, "form.admin-linkifier-form", {
pattern: "#(?P<id>[0-9]+)",
url_format_string: "https://trac.example.com/ticket/%(id)s",
});
await page.click("form.admin-linkifier-form button.button");
const admin_linkifier_status_selector = "div#admin-linkifier-status";
await page.waitForSelector(admin_linkifier_status_selector, {visible: true});
const admin_linkifier_status = await common.get_text_from_selector(
page,
admin_linkifier_status_selector,
);
assert.strictEqual(admin_linkifier_status, "Custom linkifier added!");
await page.waitForSelector(".linkifier_row", {visible: true});
assert.strictEqual(
await common.get_text_from_selector(page, ".linkifier_row span.linkifier_pattern"),
"#(?P<id>[0-9]+)",
);
assert.strictEqual(
await common.get_text_from_selector(
page,
".linkifier_row span.linkifier_url_format_string",
),
"https://trac.example.com/ticket/%(id)s",
);
}
async function test_delete_linkifier(page: Page): Promise<void> {
await page.click(".linkifier_row .delete");
await page.waitForSelector(".linkifier_row", {hidden: true});
}
async function test_add_invalid_linkifier_pattern(page: Page): Promise<void> {
await page.waitForSelector(".admin-linkifier-form", {visible: true});
await common.fill_form(page, "form.admin-linkifier-form", {
pattern: "(foo",
url_format_string: "https://trac.example.com/ticket/%(id)s",
});
await page.click("form.admin-linkifier-form button.button");
await page.waitForSelector("div#admin-linkifier-pattern-status", {visible: true});
assert.strictEqual(
await common.get_text_from_selector(page, "div#admin-linkifier-pattern-status"),
"Failed: Bad regular expression: missing ): (foo",
);
}
async function test_edit_linkifier(page: Page): Promise<void> {
await page.click(".linkifier_row .edit");
await page.waitForFunction(() => document.activeElement === $("#linkifier-edit-form-modal")[0]);
await common.fill_form(page, "form.linkifier-edit-form", {
pattern: "(?P<num>[0-9a-f]{40})",
url_format_string: "https://trac.example.com/commit/%(num)s",
});
await page.click(".submit-linkifier-info-change");
await page.waitForSelector("#linkifier-edit-form-modal", {hidden: true});
await page.waitForFunction(() => $(".edit-linkifier-status").text().trim() === "Saved");
await page.waitForSelector(".linkifier_row", {visible: true});
assert.strictEqual(
await common.get_text_from_selector(page, ".linkifier_row span.linkifier_pattern"),
"(?P<num>[0-9a-f]{40})",
);
assert.strictEqual(
await common.get_text_from_selector(
page,
".linkifier_row span.linkifier_url_format_string",
),
"https://trac.example.com/commit/%(num)s",
);
}
async function test_edit_invalid_linkifier(page: Page): Promise<void> {
await page.click(".linkifier_row .edit");
await page.waitForFunction(() => document.activeElement === $("#linkifier-edit-form-modal")[0]);
await common.fill_form(page, "form.linkifier-edit-form", {
pattern: "#(?P<id>d????)",
url_format_string: "????",
});
await page.click(".submit-linkifier-info-change");
const edit_linkifier_pattern_status_selector = "div#edit-linkifier-pattern-status";
await page.waitForSelector(edit_linkifier_pattern_status_selector, {visible: true});
const edit_linkifier_pattern_status = await common.get_text_from_selector(
page,
edit_linkifier_pattern_status_selector,
);
assert.strictEqual(
edit_linkifier_pattern_status,
"Failed: Bad regular expression: bad repetition operator: ????",
);
const edit_linkifier_format_status_selector = "div#edit-linkifier-format-status";
await page.waitForSelector(edit_linkifier_format_status_selector, {visible: true});
const edit_linkifier_format_status = await common.get_text_from_selector(
page,
edit_linkifier_format_status_selector,
);
assert.strictEqual(
edit_linkifier_format_status,
"Failed: Enter a valid URL.,Invalid URL format string.",
);
await page.click(".cancel-linkifier-info-change");
await page.waitForSelector("#linkifier-edit-form-modal", {hidden: true});
await page.waitForSelector(".linkifier_row", {visible: true});
assert.strictEqual(
await common.get_text_from_selector(page, ".linkifier_row span.linkifier_pattern"),
"(?P<num>[0-9a-f]{40})",
);
assert.strictEqual(
await common.get_text_from_selector(
page,
".linkifier_row span.linkifier_url_format_string",
),
"https://trac.example.com/commit/%(num)s",
);
}
async function linkifier_test(page: Page): Promise<void> {
await common.log_in(page);
await common.manage_organization(page);
await page.click("li[data-section='linkifier-settings']");
await test_add_linkifier(page);
await test_edit_linkifier(page);
await test_edit_invalid_linkifier(page);
await test_add_invalid_linkifier_pattern(page);
await test_delete_linkifier(page);
}
common.run_test(linkifier_test);
Reference in New Issue View Git Blame Copy Permalink