Beyond Python: ReDoS Vulnerability in Git-url-parse (Part 3)
Code Reuse: Importance and Risks
Code reuse in software development is a time-saving practice that enables developers to build upon existing open-source solutions and focus their effort on the unique, proprietary aspects of any project. However, ensuring the quality and security of reused code is paramount to avoid compromising the integrity of the entire project, or the wider organization.
In this particular case, the vulnerability affected three high-profile projects: Git-URL-parse, Semgrep, an open-source code analysis tool with over 400,000 monthly downloads, and OSSGadget, a Microsoft-developed tool for analyzing open-source software.
In an earlier post, we provide an introduction to Regular Expression Denial of Service (ReDoS) vulnerabilities and the risk they pose, along with examples. In this blog post, we outline another ReDoS attack vector discovered by Safety's Cybersecurity Intelligence Team, shedding light on the criticality of code reuse security and the prevalence of such vulnerabilities in popular packages across Python, Javascript, and other programming ecosystems.
Transitive Vulnerabilities
Dependencies within a software project can introduce transitive vulnerabilities, where a known vulnerability in one package affects other dependencies. The example of the ReDoS vulnerability discovered by Safety is an example of such a transitive vulnerability.
Detecting and addressing such vulnerabilities becomes challenging due to the intricate web of indirect dependencies. Regular security audits, dependency updates, and effective vulnerability tracking tools are crucial to mitigate the risks associated with transitive vulnerabilities.
Safety CLI is used to identify both direct and transitive vulnerabilities across all packages in use in a given environment or project, and can be utilized at every stage of the software development lifecycle, from local system-wide scans of developer machines, all the way through CI/CD and production systems. Moreover, it allows teams to reduce vulnerability noise and assess the criticality of findings within the specific context of their work by combining Severity, Exploitability, Reachability and Package Health.
ReDoS Vulnerability Identified in Three Popular Packages
GIT-URL-PARSE
Despite the project's last commit being in 2019, git-url-parse continues to enjoy immense popularity, with over 120,000 monthly downloads across multiple programming ecosystems.
Safety’s discovery of a significant vulnerability in git-url-parse highlights the risks to reliability and security, even in the most popular open-source packages.
Vulnerability Details
The flaw identified by Safety lies in the vulnerability of the POSSIBLE_REGEXES regex, which compromises the Parser class. This vulnerability impacts all versions of git-url-parse up to 1.2.2 and can be triggered by parsing untrusted URLs.
Our efforts to address this vulnerability were met with unresponsiveness from the package maintainers.
Assigned Identifiers
- Safety Cybersecurity ID: 58912
- CVE: CVE-2023-32758
Semgrep
Semgrep is a powerful, open-source code analysis tool that enables developers to write and apply custom rules to their codebase. Semgrep is downloaded more than 400,000 times each month.
Vulnerability Details
Semgrep does not require git-url-parse as a dependency, but instead shipped with the vulnerable code directly. As a result, while Safety identified the vulnerability and protected users, this vulnerability was more likely to be missed by traditional security scanners, including those integrated into code hosting services, e.g. Dependabot.
The affected code was used by semgrep.meta, which can be triggered by any CI integration: the classes CircleCIMeta, JenkinsMeta, BitbucketMeta, AzurePipelinesMeta and BuildkiteMeta.
A possible attack scenario could be when Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by it.
Following our disclosure, Semgrep's maintainers acknowledged the issue, and together we explored and tested possible fixes. The vulnerable code from git-url-parse was introduced in Semgrep version 1.5.2 and fixed with the release of version 1.25.0.
Assigned Identifiers
- Safety Cybersecurity ID: 58941
- CVE: CVE-2023-32758
OSSGadget
OSSGadget is a collection of tools developed by Microsoft to help analyze and understand open-source software components. Written in C#, OSSGadget is another popular project on GitHub.
Vulnerability Details
The same vulnerable regex was found in Regex GithubMatchRegex. As a result, the public class NPMProjectManager was affected. Users receiving URIs from untrusted sources could be exploited on all OSSGadget versions before 0.1.395.
Fortunately, the issue was fixed and a new patched version was released within days of Safety reporting the issue to Microsoft.
Beyond the three projects discussed above, git-gears-cs and php-conventional-changelog also include the vulnerable regex, again highlighting the breadth of impact such vulnerabilities can entail.
The Importance of Ongoing Vulnerability Scanning
These vulnerabilities underscore the critical importance of robust security measures when reusing code, including ongoing scanning for both direct and transitive vulnerabilities within open-source dependencies at all stages in the software development lifecycle. With new vulnerabilities being discovered in popular packages, as outlined here, it is important to continuously monitor and scan development environments and production systems for the presence of newly-identified vulnerabilities, assess their criticality, and take appropriate action.
To learn more about how Safety’s industry-leading vulnerability research and software supply chain security products, please contact us or reach out to info@safetycli.com.
We extend our gratitude to Sebastian Chnelik, our Cybersecurity Analyst, for his invaluable research and discovery.