Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11213

Puppet/Puppetserver can be taken out by bad regex



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Won't Fix
    • PUP 6.24.0, PUP 7.9.0
    • None
    • Compiler
    • None
    • Needs Assessment
    • Needs Assessment


      Puppet Version: 6.24.0 7.10.0
      Puppet Server Version: N/A
      OS Name/Version: N/A

      A 'Runaway Regular Expression' in a single host's manifests can denial of service all your puppetservers.

      Desired Behavior:

      Puppet to detect that parsing a regex will take forever and fail the compilation.

      Actual Behavior:

      **Puppet compilation never finishes and puppetservers become unavailable.


      The issue can be reproduced with 'puppet apply' eg.

      puppet apply -t -e 'assert_type(Pattern[/\A-----BEGIN PGP PRIVATE KEY BLOCK-----\n(.*\n?)+-----END PGP PRIVATE KEY BLOCK-----\Z/], "-----BEGIN PGP PRIVATE KEY BLOCK-----\nfoo\n-----END PGP PRIVATE KEY BLOCK-----")'

      The above command will never exit (given an actual key and not just 'foo' I suspect the heat death of the universe might occur first!).

      In the context of puppetserver, the jruby process is never returned to the pool.  Eventually, all jruby processes across all puppetservers are taken up and all other requests fail with "Attempt to borrow a JRubyInstance from the pool timed out" errors.


      https://www.sysbee.net/blog/sysbee-blog/puppet-timeouts/ describes the same issue (but in that case, the regex was just very very slow, but did eventually parse).

      Some online regex testing tools see the issue and refuse to parse the regex. eg.

      "Rubular suspects this regex will take forever to parse. Regexes of this sort make Rubular sad."




            Unassigned Unassigned
            alexjfisher Alexander Fisher
            0 Vote for this issue
            4 Start watching this issue



              Zendesk Support