Hang via crafted itrf-versions.conf
I was playing around with the new itrf-versions.conf and noticed that any regular expression (RE) is accepted. If the file is loaded from an un-trusted source this can hang the application because Java's REs can take exponential time to halt.[1] One one hand supplemental data should only be loaded from trusted sources to ensure the accuracy of computations. On the other hand one could argue that the effects of loading un-trusted data shouldn't be any worse than inaccurate results. So I'm not decided if it is a security issue or not. The thing that makes me nervous is that Orekit can load these files from the internet. What do you think? @luc
For example, I have a itrf-versions.conf
file that contains:
f(.+)+.{40} ------ ------ ITRF-2005
And a EOP file named finals2000A.0reallyloooooooooooooooooooonName
. With these settings Orekit has been hung since yesterday. It seems the file name needs to be longer than about 20 characters to cause issues.
Possible Solutions:
-
Document it and warn the user so they can take appropriate steps to only load trusted data.
-
Use a different RE implementation than Java's Matcher. It is possible to match the above RE in roughly linear time, but Java's implementation of RE is extended to include non-regular expressions such as back references which necessitates the slower algorithm.
-
Implement a watchdog, though I'm not sure if RE matching is interruptible.
-
others?
[1] https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS