sahvx655-wq created FELIX-6843:
----------------------------------

             Summary: Fix ReDoS vulnerability in grep command
                 Key: FELIX-6843
                 URL: https://issues.apache.org/jira/browse/FELIX-6843
             Project: Felix
          Issue Type: Bug
          Components: Gogo JLine, Gogo Shell
            Reporter: sahvx655-wq


The {{grep}} command in {{gogo/shell}} and {{gogo/jline}} is vulnerable to 
Regular Expression Denial of Service (ReDoS) due to Java’s backtracking regex 
engine. Certain patterns (e.g., {{{}(a+)+{}}}) can cause catastrophic 
backtracking, leading to high CPU usage and potential shell hangs.

This fix introduces a regex execution timeout using a {{TimeoutCharSequence}} 
wrapper around input lines. The wrapper monitors execution time using 
{{System.nanoTime()}} and throws a {{RegexTimeoutException}} if processing 
exceeds 1000 ms.

The grep implementation catches the timeout exception, logs a warning, and 
aborts processing gracefully.

A regression test {{testGrepReDosTimeout}} has been added to ensure malicious 
regex patterns are safely terminated without hanging.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to