sahvx655-wq created FELIX-6843:
----------------------------------
Summary: Fix ReDoS vulnerability in grep command
Key: FELIX-6843
URL: https://issues.apache.org/jira/browse/FELIX-6843
Project: Felix
Issue Type: Bug
Components: Gogo JLine, Gogo Shell
Reporter: sahvx655-wq
The {{grep}} command in {{gogo/shell}} and {{gogo/jline}} is vulnerable to
Regular Expression Denial of Service (ReDoS) due to Java’s backtracking regex
engine. Certain patterns (e.g., {{{}(a+)+{}}}) can cause catastrophic
backtracking, leading to high CPU usage and potential shell hangs.
This fix introduces a regex execution timeout using a {{TimeoutCharSequence}}
wrapper around input lines. The wrapper monitors execution time using
{{System.nanoTime()}} and throws a {{RegexTimeoutException}} if processing
exceeds 1000 ms.
The grep implementation catches the timeout exception, logs a warning, and
aborts processing gracefully.
A regression test {{testGrepReDosTimeout}} has been added to ensure malicious
regex patterns are safely terminated without hanging.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)