From patchwork Thu Aug 22 15:11:14 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [3,of,6,V3] hgweb: restrict usage of regular expressions in search
From: Alexander Plavin <alexander@plav.in>
X-Patchwork-Id: 2247
Message-Id: <6db09c0cbf06af6f990f.1377184274@debian-alexander.dolgopa>
To: mercurial-devel@selenic.com
Date: Thu, 22 Aug 2013 19:11:14 +0400

# HG changeset patch
# User Alexander Plavin <alexander@plav.in>
# Date 1376650882 -14400
#      Fri Aug 16 15:01:22 2013 +0400
# Node ID 6db09c0cbf06af6f990fcb497449f8e1200fba86
# Parent  c9ded075156603c15bb0a71273d2babbd19ab6fb
hgweb: restrict usage of regular expressions in search

If the search query has strings defining revset regular expressions
(those starting with 're:'), revset syntax is disabled. It eliminates the
possibility of ReDoS.

diff -r c9ded0751566 -r 6db09c0cbf06 mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py	Wed Aug 07 01:16:14 2013 +0400
+++ b/mercurial/hgweb/webcommands.py	Fri Aug 16 15:01:22 2013 +0400
@@ -9,7 +9,7 @@
 import webutil
 from mercurial import error, encoding, archival, templater, templatefilters
 from mercurial.node import short, hex, nullid
-from mercurial.util import binary
+from mercurial.util import binary, any as any_
 from common import paritygen, staticfile, get_contact, ErrorResponse
 from common import HTTP_OK, HTTP_FORBIDDEN, HTTP_NOT_FOUND
 from mercurial import graphmod, patch
@@ -176,6 +176,10 @@
             # no revset syntax used
             return 'kw', query
 
+        if any_((token, (value or '')[:3]) == ('string', 're:')
+               for token, value, pos in revset.tokenize(revdef)):
+            return 'kw', query
+
         mfunc = revset.match(None, revdef)
         try:
             # try running against empty subset
diff -r c9ded0751566 -r 6db09c0cbf06 tests/test-hgweb-commands.t
--- a/tests/test-hgweb-commands.t	Wed Aug 07 01:16:14 2013 +0400
+++ b/tests/test-hgweb-commands.t	Fri Aug 16 15:01:22 2013 +0400
@@ -632,6 +632,56 @@
   
   
 
+  $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'log?rev=user("test")&style=raw'
+  200 Script output follows
+  
+  
+  # HG changesets search
+  # Node ID cad8025a2e87f88c06259790adfa15acb4080123
+  # Query "user("test")"
+  
+  changeset:   cad8025a2e87f88c06259790adfa15acb4080123
+  revision:    3
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     branch commit with null character: \x00 (esc)
+  branch:      unstable
+  tag:         tip
+  bookmark:    something
+  
+  changeset:   1d22e65f027e5a0609357e7d8e7508cd2ba5d2fe
+  revision:    2
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     branch
+  branch:      stable
+  
+  changeset:   a4f92ed23982be056b9852de5dfe873eaac7f0de
+  revision:    1
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     Added tag 1.0 for changeset 2ef0ac749a14
+  branch:      default
+  
+  changeset:   2ef0ac749a14e4f57a5a822464a0902c6f7f448f
+  revision:    0
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     base
+  tag:         1.0
+  bookmark:    anotherthing
+  
+  
+  $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'log?rev=user("re:test")&style=raw'
+  200 Script output follows
+  
+  
+  # HG changesets search
+  # Node ID cad8025a2e87f88c06259790adfa15acb4080123
+  # Query "user("re:test")"
+  
+  
+
 File-related
 
   $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'file/1/foo/?style=raw'