mirror of https://github.com/zulip/zulip.git
db934be064
Zulip attempts to validate that the regular expressions that admins enter for linkifiers are well-formatted, and only contain a specific subset of regex grammar. The process of checking these properties (via a regex!) can cause denial-of-service via backtracking. Furthermore, this validation itself does not prevent the creation of linkifiers which themselves cause denial-of-service when they are executed. As the validator accepts literally anything inside of a `(?P<word>...)` block, any quadratic backtracking expression can be hidden therein. Switch user-provided linkifier patterns to be matched in the Markdown processor by the `re2` library, which is guaranteed constant-time. This somewhat limits the possible features of the regular expression (notably, look-head and -behind, and back-references); however, these features had never been advertised as working in the context of linkifiers. A migration removes any existing linkifiers which would not function under re2, after printing them for posterity during the upgrade; they are unlikely to be common, and are impossible to fix automatically. The denial-of-service in the linkifier validator was discovered by @erik-krogh and @yoff, as GHSL-2021-118. |
||
|---|---|---|
| .. | ||
| admin.ts | ||
| compose.ts | ||
| copy-and-paste.ts | ||
| custom-profile.ts | ||
| delete-message.ts | ||
| drafts.ts | ||
| edit.ts | ||
| mention.ts | ||
| message-basics.ts | ||
| navigation.ts | ||
| realm-creation.ts | ||
| realm-linkifier.ts | ||
| realm-playground.ts | ||
| settings.ts | ||
| stars.ts | ||
| subscriptions.ts | ||
| user-deactivation.ts | ||
| user-status.ts | ||