New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] Denial of service because of unsafe regex processing #8680
Comments
|
Thanks for reporting! I don't think this code is used anymore actually? Maybe we can delete it? |
|
Hi, |
|
Oh, did you just close the issue without fixing the code? Even if the parameters are not used the code is still callable. Do I miss something? |
|
I thought since the issue was so brutally closed without explanation maybe my code analysis is wrong and it is not expoitable. Thus I have followed the instructions from https://docs.cbioportal.org/2.1.1-deploy-with-docker-recommended/docker and ran a local instance of cbioportal in container. I have a proof of concept when just a single request makes server cpu to consume 100% indefinetely. Please create a security advisory where you could invite me and discuss it in private if you have any questions. It makes me sad that such a noble project makes it hard to responsibly disclose a security issue that may potentially lead to Denial of Service. Please respond in 24 hours. |
|
@edvraa Thanks for reporting this. The code is not being used in production anymore. Also, we planned to retire both core and portal modules once all dependencies are removed (cBioPortal/icebox#161), so at this moment, we will not invest time fixing issues in these two modules that will not be running in production. |
|
@jjgao The question is not if it is used or not. Single request to |
|
@edvraa thanks for reporting this! The endpoint has now been deleted in master. |
|
A pity it didn't make it into https://github.com/cBioPortal/cbioportal/releases/tag/v3.6.21 by one hour. |
|
We release frequently and it will be in the next one. |
I have tried to contact you by cbioportal@cbio.mskcc.org and asked for any other email in #8658. Nobody replied.
The cBioPortal is vulnerable to regex injection that may lead to Denial of Service.
User controlled
heatmapandalterationare used to build and run a regex expression:cbioportal/core/src/main/java/org/mskcc/cbio/portal/servlet/ProteinArraySignificanceTestJSON.java
Lines 104 to 106 in e086d40
The value end up in getAlteredCases
cbioportal/core/src/main/java/org/mskcc/cbio/portal/servlet/ProteinArraySignificanceTestJSON.java
Lines 279 to 282 in e086d40
Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side.
The text was updated successfully, but these errors were encountered: