ReDoS attack via 'quote search --regexp' if the quote DB is large enough

[IonCannon218]

Doing quote search --regexp "/.*.*.*.*.*.*.*invalid/" would spam the not found message after accumulating enough errors before that. But, if there is enough of the repeated .* in the regex, the bot seems to create multiple instances of itself. The bot owner says this actually crashed the computer running the bot.

Logs: https://gist.github.com/IonCannon218/15d344aef757982980d0

[jlu5]

I realize this issue is relatively difficult to produce. On a fresh test install of Limnoria, I get strange Signal #15. messages in the log that don't seem to match Limnoria's logging format at all:

IRC: (I added some instances of dict random as quotes for testing)

16:06 <+GLolol> %quote search --regexp "/.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*eng/"
16:06 <@Atlas> 3 found: #10: "fd-iri-eng", #2: "fd-cro-eng", and #6: "fd-slo-eng"

Console output:

INFO 2014-09-15T16:06:03 quote search called on #dev by
     "GLolol!GLolol@pfemdx.beneath.the.plaguebox.net".
INFO 2014-09-15T16:06:18 quote search called on #dev by
     "GLolol!GLolol@pfemdx.beneath.the.plaguebox.net".
Signal #15.
Signal #15.
Signal #15.
Signal #15.
Signal #15.
Signal #15.

@IonCannon218 What OS/python version/supybot version are you using? Running misc version on your bot and pasting the output here may be helpful.

This seems to be yet another forkbomb vulnerability. :/

[jlu5]

FYI, the same result can be achieved by abusing other regexp-capable commands such as misc last, along with high CPU usage.

[IonCannon218]

<HomBot> The current (running) version of this Supybot is 0.83.4.1+limnoria installed on 2014-09-07T16-15-56, running on Python 2.7.8 (default, Jul  4 2014, 13:08:34)  [GCC 4.9.0]. The newest versions available online are 2014.09.14 (in testing), 2014.08.18 (in master).

[progval]

What is that quote command?

[jlu5]

The one in the Quote plugin I believe.

[Mikaela]

The one in the Quote plugin I believe.

which comes by default with stock, gribble and Limnoria so this is correct place.

[IonCannon218]

Reproduced: https://gist.github.com/IonCannon218/38120043c45a56fe6d97
Seems to require high uptime with enough use of the bot.

The bot(s) uptime was:

I have been running for 11 weeks, 0 days, 12 hours, 39 minutes, and 59 seconds.

I suspect the quotes database content for our specific bot could be a cause for triggering this bug.

[jlu5]

Confirming this issue - it looks like it gets progressively worse as the quote database grows, since a separate process is spawned for each quote, and these quickly hit the 0.1 regexp_wrapper timeout quickly.