Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Artifact tag matcher: Curb complexity when parsing regexps from user input #3836

Merged
merged 2 commits into from
Jul 10, 2024

Conversation

puerco
Copy link
Contributor

@puerco puerco commented Jul 10, 2024

Summary

This PR adds a length limit to the regular expressions we parse from user input to curve the complexity Minder
handles when compiling them to build a tag matcher.

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

This commit adds a limit to the lengrh of regular expressions we take
from user input to set a length limit and curve the complexity Minder
handles when compiling them.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@stacklok.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@stacklok.com>
@puerco puerco requested a review from a team as a code owner July 10, 2024 20:44
@@ -47,6 +47,9 @@ func BuildFilter(tags []string, tagRegex string) (*filter, error) {

// no tags specified, but a regex was, compile it
if tagRegex != "" {
if len(tagRegex) > 512 {
return nil, fmt.Errorf("tag regular expressions are limited to 512 characters")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (non-blocking): it could be useful to define this error statically so that upper layers can react accordingly, e.g. by returning a 400 or 409 in case this codepath is reachable from a handler.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, makes sense. I'll surface it in a follow-up, thanks!

@coveralls
Copy link

Coverage Status

coverage: 53.087% (-0.003%) from 53.09%
when pulling 75e7448 on puerco:regex-filter-limie
into 87416ec on stacklok:main.

@puerco puerco merged commit e77e142 into mindersec:main Jul 10, 2024
22 checks passed
dmjb pushed a commit that referenced this pull request Jul 12, 2024
…input (#3836)

* Mitigate ReDos in artifact tag matcher

This commit adds a limit to the lengrh of regular expressions we take
from user input to set a length limit and curve the complexity Minder
handles when compiling them.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@stacklok.com>

* Add test for artifact.BuildFilter

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@stacklok.com>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@stacklok.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants