[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users

[Jira]

    [ 
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17817263#comment-17817263
 ] 

Dénes Bodó commented on OOZIE-3719:
-----------------------------------

[~SanjayKumarSahu] 

The [Jenkins job|https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/216/] 
cannot apply the uploaded patch using this command:
{code:bash}
git apply --check -v -p0 < OOZIE-3719-001.patch{code}
 

Could you please format your patch according to this description?

[https://cwiki.apache.org/confluence/display/OOZIE/How+To+Contribute]
{code:bash}
git diff --no-prefix {code}
Thank you

> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege 
> Users Disrupting Access for Intended Users
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: OOZIE-3719
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3719
>             Project: Oozie
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 5.2.1
>            Reporter: Sanjay Kumar Sahu
>            Assignee: Sanjay Kumar Sahu
>            Priority: Major
>             Fix For: 5.3.0
>
>         Attachments: OOZIE-3719-001.patch, image-2023-09-15-02-47-52-819.png, 
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png, 
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>  
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the 
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether 
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is 
> the action query string).
>  
> Next the values of logRetrievalScope gets split by , and entering the the if 
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{ 
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-1000000". 
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and 
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check 
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>  
> !image-2023-09-15-02-52-09-320.png!
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)