Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11213

Puppet/Puppetserver can be taken out by bad regex

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: PUP 6.24.0, PUP 7.9.0
    • Fix Version/s: None
    • Component/s: Compiler
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.24.0 7.10.0
      Puppet Server Version: N/A
      OS Name/Version: N/A

      A 'Runaway Regular Expression' in a single host's manifests can denial of service all your puppetservers.

      Desired Behavior:

      Puppet to detect that parsing a regex will take forever and fail the compilation.

      Actual Behavior:

      **Puppet compilation never finishes and puppetservers become unavailable.

       

      The issue can be reproduced with 'puppet apply' eg.

      puppet apply -t -e 'assert_type(Pattern[/\A-----BEGIN PGP PRIVATE KEY BLOCK-----\n(.*\n?)+-----END PGP PRIVATE KEY BLOCK-----\Z/], "-----BEGIN PGP PRIVATE KEY BLOCK-----\nfoo\n-----END PGP PRIVATE KEY BLOCK-----")'

      The above command will never exit (given an actual key and not just 'foo' I suspect the heat death of the universe might occur first!).

      In the context of puppetserver, the jruby process is never returned to the pool.  Eventually, all jruby processes across all puppetservers are taken up and all other requests fail with "Attempt to borrow a JRubyInstance from the pool timed out" errors.

       

      https://www.sysbee.net/blog/sysbee-blog/puppet-timeouts/ describes the same issue (but in that case, the regex was just very very slow, but did eventually parse).

      Some online regex testing tools see the issue and refuse to parse the regex. eg.

      "Rubular suspects this regex will take forever to parse. Regexes of this sort make Rubular sad."

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            alexjfisher Alexander Fisher
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support