Poor time complexity of Cron.parse #104

personnumber3377 · 2024-08-14T07:15:05Z

Issue description

Hi!

I fuzzed this library with afl and found that the program hangs with a crafted input. I originally reported this privately, but it was later decided to create a public issue. I am going to paste my email text here:

Hi!

I decided to report this to you privately, because this has possible security
implications. I will open a public issue in fugit in a week from now
(19.8.2024), if you do not respond by then. When parsing a long cron job, an
attacker can cause denial of service through uncontrolled resource
consumption. Here is a program which demonstrates the vulnerability

require 'fugit'
c = 10000
pwn = '0 0' + ' 0' * c + ' 1 jan * UTC'
puts 'Parsing...'
Fugit.parse(pwn)
puts 'Done!'

The vulnerability stems from the fact that the Fugit.parse function has poor
time complexity. (I have also attached this program as poc.rb) If an attacker
can supply malicious input to Fugit.parse, then they are able to cause
uncontrolled resource consumption and possible denial of service. I think a
security policy would be good for this project
(https://github.com/floraison/fugit/security) (for a more coordinated
disclosure).

I look forward to hearing from you!

How to reproduce

The simplest piece of code that reproduces the issue, for example:

require 'fugit'
c = 10000
pwn = '0 0' + ' 0' * c + ' 1 jan * UTC'
puts 'Parsing...'
Fugit.parse(pwn)
puts 'Done!'

Error and error backtrace (if any)

Program hangs (no backtrace).

Expected behaviour

The program should execute within a reasonable timeframe.

Context

Linux oof-h8-1440eo 5.15.0-112-generic #122-Ubuntu SMP Thu May 23 07:48:21 UTC
  2024 x86_64 x86_64 x86_64 GNU/Linux
ruby 3.4.0dev (2024-02-09T12:28:26Z master 08b77dd682) [x86_64-linux]
[:env_tz, nil]
(secs:1723619463.6601787,utc~:"2024-08-14 07:11:03.6601786613464355",ltz~:"EEST")
(etz:nil,tnz:"EEST",tziv:"2.0.6",tzidv:nil,rv:"3.4.0",rp:"x86_64-linux",
  win:false,rorv:nil,astz:nil,eov:"1.2.11",eotnz:#<TZInfo::DataTimezone:
  Europe/Helsinki>,eotnfz:"+0300",eotlzn:"Europe/Helsinki",eotnfZ:"EEST",
  debian:"Europe/Helsinki",centos:nil,osx:"Europe/Helsinki")
[:et_orbi, "1.2.11"]
[:fugit, "1.11.0"]
[:now, 2024-08-14 10:11:05.290534123 +0300, :zone, "EEST"]

Additional context

I don't really know how to implement a reasonable security policy (https://github.com/floraison/fugit/security) , because of lack of experience, but I think maybe something similar to what golang has would be good???? (https://go.dev/doc/security/policy)

The text was updated successfully, but these errors were encountered:

jmettraux · 2024-08-14T07:36:10Z

Many thanks!

jmettraux · 2024-08-15T12:08:33Z

Closing this issue now. I will release 1.11.1 now.

If there is anything I missed, please tell me. Thanks again!

jmettraux · 2024-08-15T12:11:49Z

https://rubygems.org/gems/fugit/versions/1.11.1

floraison/fugit#104 Prevent Fugit::Nat.parse choking on large input, limit at 256 chars

floraison/fugit#104 Prevent Fugit::Nat.parse choking on large input, peg at 256 chars ```ruby spec.add_dependency "fugit", "~> 1.11", ">= 1.11.1" ``` Which requires fugit from 1.11.0 to 2.x not included and at least 1.11.1

floraison/fugit#104 Prevent Fugit::Nat.parse choking on large input, limit at 256 chars

This prevents the fugit bug: floraison/fugit#104

jmettraux self-assigned this Aug 14, 2024

jmettraux added a commit that referenced this issue Aug 14, 2024

Peg Fugit::Nat.parse(s) at 256 chars, gh-104

6a75274

jmettraux added a commit that referenced this issue Aug 14, 2024

Add note about nat 256 char limit, gh-104

2a11805

jmettraux added a commit that referenced this issue Aug 15, 2024

Add Fugit::Nat.parse() spec input len > 256 gh-104

a9a2628

jmettraux added a commit that referenced this issue Aug 15, 2024

Add spec for Fugit.parse() and .do_parse, gh-104

767ef55

jmettraux added a commit that referenced this issue Aug 15, 2024

Lower time expectations for labby rubies, gh-104

ad2c1c9

jmettraux closed this as completed Aug 15, 2024

jmettraux added a commit to jmettraux/sidekiq-cron that referenced this issue Aug 15, 2024

Require at least fugit >= 1.11.1

d1c7184

floraison/fugit#104 Prevent Fugit::Nat.parse choking on large input, limit at 256 chars

jmettraux mentioned this issue Aug 15, 2024

Require at least fugit >= 1.11.1 sidekiq-cron/sidekiq-cron#475

Merged

jmettraux mentioned this issue Aug 16, 2024

Require fugit >= 1.11.1 bensheldon/good_job#1468

Closed

jmettraux mentioned this issue Aug 16, 2024

Require fugit >= 1.11.1 rails/solid_queue#280

Closed

jmettraux mentioned this issue Aug 16, 2024

Require fugit >= 1.11.1 rubyonjets/jets#733

Closed

markets pushed a commit to sidekiq-cron/sidekiq-cron that referenced this issue Aug 16, 2024

Require at least fugit >= 1.11.1 (#475)

8126864

floraison/fugit#104 Prevent Fugit::Nat.parse choking on large input, limit at 256 chars

hlascelles added a commit to hlascelles/que-scheduler that referenced this issue Aug 21, 2024

Update fugit requirement

af4add3

This prevents the fugit bug: floraison/fugit#104

hlascelles mentioned this issue Aug 21, 2024

Update fugit minimum requirement to 1.11.1 hlascelles/que-scheduler#506

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Poor time complexity of Cron.parse #104

Poor time complexity of Cron.parse #104

personnumber3377 commented Aug 14, 2024 •

edited by jmettraux

Loading

jmettraux commented Aug 14, 2024

jmettraux commented Aug 15, 2024

jmettraux commented Aug 15, 2024

Poor time complexity of Cron.parse #104

Poor time complexity of Cron.parse #104

Comments

personnumber3377 commented Aug 14, 2024 • edited by jmettraux Loading

Issue description

How to reproduce

Error and error backtrace (if any)

Expected behaviour

Context

Additional context

jmettraux commented Aug 14, 2024

jmettraux commented Aug 15, 2024

jmettraux commented Aug 15, 2024

personnumber3377 commented Aug 14, 2024 •

edited by jmettraux

Loading