GHSA-CRGC-2583-RW27
Vulnerability from github – Published: 2024-05-20 20:43 – Updated: 2024-05-20 22:07Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates.
Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash.
One of these places is the REST ingester:
https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L115-L123
With control over both endpoint and retp on the following line:
https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121
… an attacker can make Minder generate a large template that Minder reads into memory on the following line by invoking endpoint.String():
https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L131
Consider this example:
package main
import (
"fmt"
"html/template"
"os"
)
type EndpointTemplateParams struct {
// Params are the parameters to be used in the template
Params map[string]any
}
func main() {
retp := &EndpointTemplateParams{
Params: map[string]any{
"params": make([]string, 10),
},
}
fmt.Println(retp)
const templ = `
{{range $idx, $e := .Params.params}}
loooooooooooooooooooooooooooooooong-string-{{$idx}}
{{end}}
{{range $idx, $e := .Params.params}}
loooooooooooooooooooooooooooooooong-string-{{$idx}}
{{end}}
{{range $idx, $e := .Params.params}}
loooooooooooooooooooooooooooooooong-string-{{$idx}}
{{end}}`
tmpl := template.Must(template.New("").Parse(templ))
if err := tmpl.Execute(os.Stdout, retp); err != nil {
panic(err)
}
}
This example imitates the behavior on these lines:
https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L115-L123
Running this example generates the following template:
loooooooooooooooooooooooooooooooong-string-0
loooooooooooooooooooooooooooooooong-string-1
loooooooooooooooooooooooooooooooong-string-2
loooooooooooooooooooooooooooooooong-string-3
loooooooooooooooooooooooooooooooong-string-4
loooooooooooooooooooooooooooooooong-string-5
loooooooooooooooooooooooooooooooong-string-6
loooooooooooooooooooooooooooooooong-string-7
loooooooooooooooooooooooooooooooong-string-8
loooooooooooooooooooooooooooooooong-string-9
loooooooooooooooooooooooooooooooong-string-0
loooooooooooooooooooooooooooooooong-string-1
loooooooooooooooooooooooooooooooong-string-2
loooooooooooooooooooooooooooooooong-string-3
loooooooooooooooooooooooooooooooong-string-4
loooooooooooooooooooooooooooooooong-string-5
loooooooooooooooooooooooooooooooong-string-6
loooooooooooooooooooooooooooooooong-string-7
loooooooooooooooooooooooooooooooong-string-8
loooooooooooooooooooooooooooooooong-string-9
loooooooooooooooooooooooooooooooong-string-0
loooooooooooooooooooooooooooooooong-string-1
loooooooooooooooooooooooooooooooong-string-2
loooooooooooooooooooooooooooooooong-string-3
loooooooooooooooooooooooooooooooong-string-4
loooooooooooooooooooooooooooooooong-string-5
loooooooooooooooooooooooooooooooong-string-6
loooooooooooooooooooooooooooooooong-string-7
loooooooooooooooooooooooooooooooong-string-8
loooooooooooooooooooooooooooooooong-string-9
A malicious user can call the loop more times, increase the loop count and/or make the repeated long string longer to make the size of the template bigger.
A sufficiently large template will consume a lot of memory on this line which will exhaust memory on the machine and crash the Minder server:
https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121
Minder should enforce a limit to generated templates before reading them into memory.
The following templates are believed to be vulnerable:
https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121
https://github.com/stacklok/minder/blob/e7f9914de9af5a69e3e6fe2bdfaaf22e62be42c0/internal/engine/actions/remediate/pull_request/pull_request.go#L199
https://github.com/stacklok/minder/blob/e7f9914de9af5a69e3e6fe2bdfaaf22e62be42c0/internal/engine/actions/remediate/pull_request/pull_request.go#L510
Minder has a few other templates especially in its engine which needs reviewing too. As a default, all templates should be limited in size before Minder reads them into memory.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/stacklok/minder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.50"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-35194"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-20T20:43:54Z",
"nvd_published_at": "2024-05-20T21:15:09Z",
"severity": "MODERATE"
},
"details": "Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates.\n\nMinder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash.\n\nOne of these places is the REST ingester:\n\nhttps://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L115-L123\n\nWith control over both endpoint and `retp` on the following line:\n\nhttps://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121\n\n\u2026 an attacker can make Minder generate a large template that Minder reads into memory on the following line by invoking `endpoint.String()`:\n\nhttps://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L131\n\nConsider this example:\n\n```go\npackage main\n\nimport (\n \"fmt\"\n \"html/template\"\n \"os\"\n)\n\ntype EndpointTemplateParams struct {\n // Params are the parameters to be used in the template\n Params map[string]any\n}\n\nfunc main() {\n retp := \u0026EndpointTemplateParams{\n Params: map[string]any{\n \"params\": make([]string, 10),\n },\n }\n fmt.Println(retp)\n const templ = `\n {{range $idx, $e := .Params.params}}\n loooooooooooooooooooooooooooooooong-string-{{$idx}}\n{{end}}\n {{range $idx, $e := .Params.params}}\n loooooooooooooooooooooooooooooooong-string-{{$idx}}\n{{end}}\n {{range $idx, $e := .Params.params}}\n loooooooooooooooooooooooooooooooong-string-{{$idx}}\n{{end}}`\n tmpl := template.Must(template.New(\"\").Parse(templ))\n if err := tmpl.Execute(os.Stdout, retp); err != nil {\n panic(err)\n }\n}\n\n```\n\nThis example imitates the behavior on these lines:\n\nhttps://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L115-L123\n\nRunning this example generates the following template:\n\n```\n loooooooooooooooooooooooooooooooong-string-0\n\n loooooooooooooooooooooooooooooooong-string-1\n\n loooooooooooooooooooooooooooooooong-string-2\n\n loooooooooooooooooooooooooooooooong-string-3\n\n loooooooooooooooooooooooooooooooong-string-4\n\n loooooooooooooooooooooooooooooooong-string-5\n\n loooooooooooooooooooooooooooooooong-string-6\n\n loooooooooooooooooooooooooooooooong-string-7\n\n loooooooooooooooooooooooooooooooong-string-8\n\n loooooooooooooooooooooooooooooooong-string-9\n\n\n loooooooooooooooooooooooooooooooong-string-0\n\n loooooooooooooooooooooooooooooooong-string-1\n\n loooooooooooooooooooooooooooooooong-string-2\n\n loooooooooooooooooooooooooooooooong-string-3\n\n loooooooooooooooooooooooooooooooong-string-4\n\n loooooooooooooooooooooooooooooooong-string-5\n\n loooooooooooooooooooooooooooooooong-string-6\n\n loooooooooooooooooooooooooooooooong-string-7\n\n loooooooooooooooooooooooooooooooong-string-8\n\n loooooooooooooooooooooooooooooooong-string-9\n\n\n loooooooooooooooooooooooooooooooong-string-0\n\n loooooooooooooooooooooooooooooooong-string-1\n\n loooooooooooooooooooooooooooooooong-string-2\n\n loooooooooooooooooooooooooooooooong-string-3\n\n loooooooooooooooooooooooooooooooong-string-4\n\n loooooooooooooooooooooooooooooooong-string-5\n\n loooooooooooooooooooooooooooooooong-string-6\n\n loooooooooooooooooooooooooooooooong-string-7\n\n loooooooooooooooooooooooooooooooong-string-8\n\n loooooooooooooooooooooooooooooooong-string-9\n```\n\nA malicious user can call the loop more times, increase the loop count and/or make the repeated long string longer to make the size of the template bigger.\n\nA sufficiently large template will consume a lot of memory on this line which will exhaust memory on the machine and crash the Minder server:\n\nhttps://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121\n\nMinder should enforce a limit to generated templates before reading them into memory.\n\nThe following templates are believed to be vulnerable:\n\nhttps://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121\n\nhttps://github.com/stacklok/minder/blob/e7f9914de9af5a69e3e6fe2bdfaaf22e62be42c0/internal/engine/actions/remediate/pull_request/pull_request.go#L199\n\nhttps://github.com/stacklok/minder/blob/e7f9914de9af5a69e3e6fe2bdfaaf22e62be42c0/internal/engine/actions/remediate/pull_request/pull_request.go#L510\n\nMinder has a few other templates especially in its engine which needs reviewing too. As a default, all templates should be limited in size before Minder reads them into memory.\n",
"id": "GHSA-crgc-2583-rw27",
"modified": "2024-05-20T22:07:25Z",
"published": "2024-05-20T20:43:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35194"
},
{
"type": "WEB",
"url": "https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892"
},
{
"type": "PACKAGE",
"url": "https://github.com/stacklok/minder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Stacklok Minder vulnerable to denial of service from maliciously crafted templates"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.