fix: denial of service attack by passing a URL with a very long host.

We now check for certain size limits and prevent passing long URLs to
the `url` crate.

Author: Byron

gix-url/src/lib.rs

@@ -35,7 +35,7 @@ pub fn parse(input: &BStr) -> Result<Url, parse::Error> {
         InputScheme::Url { protocol_end } if input[..protocol_end].eq_ignore_ascii_case(b"file") => {
             parse::file_url(input, protocol_end)
         }
-        InputScheme::Url { .. } => parse::url(input),
+        InputScheme::Url { protocol_end } => parse::url(input, protocol_end),
         InputScheme::Scp { colon } => parse::scp(input, colon),
     }
 }

gix-url/src/parse.rs

@@ -19,6 +19,9 @@ pub enum Error {
         kind: UrlKind,
         source: url::ParseError,
     },
+
+    #[error("The host portion of the following URL is too long ({} bytes, {len} bytes total): {truncated_url:?}", truncated_url.len())]
+    TooLong { truncated_url: BString, len: usize },
     #[error("{} \"{url}\" does not specify a path to a repository", kind.as_str())]
     MissingRepositoryPath { url: BString, kind: UrlKind },
     #[error("URL {url:?} is relative which is not allowed in this context")]
@@ -79,7 +82,17 @@ pub(crate) fn find_scheme(input: &BStr) -> InputScheme {
     InputScheme::Local
 }
 
-pub(crate) fn url(input: &BStr) -> Result<crate::Url, Error> {
+pub(crate) fn url(input: &BStr, protocol_end: usize) -> Result<crate::Url, Error> {
+    const MAX_LEN: usize = 1024;
+    let bytes_to_path = input[protocol_end + "://".len()..]
+        .find(b"/")
+        .unwrap_or(input.len() - protocol_end);
+    if bytes_to_path > MAX_LEN {
+        return Err(Error::TooLong {
+            truncated_url: input[..(protocol_end + "://".len() + MAX_LEN).min(input.len())].into(),
+            len: input.len(),
+        });
+    }
     let (input, url) = input_to_utf8_and_url(input, UrlKind::Url)?;
     let scheme = url.scheme().into();
 

gix-url/tests/fixtures/fuzzed/very-long.url

@@ -1,5 +1,7 @@
 use bstr::{BStr, ByteSlice};
 use gix_url::{testing::TestUrlExtension, Scheme};
+use std::path::Path;
+use std::time::Duration;
 
 fn assert_url(url: &str, expected: gix_url::Url) -> Result<gix_url::Url, crate::Error> {
     let actual = gix_url::parse(url.into())?;
@@ -134,3 +136,18 @@ mod unknown {
         )
     }
 }
+
+#[test]
+fn fuzzed() {
+    let base = Path::new("tests").join("fixtures").join("fuzzed");
+    let location = base.join(Path::new("very-long").with_extension("url"));
+    let url = std::fs::read(&location).unwrap();
+    let start = std::time::Instant::now();
+    gix_url::parse(url.as_bstr()).ok();
+    assert!(
+        start.elapsed() < Duration::from_millis(100),
+        "URL at '{}' parsed too slowly, took {:.00}s",
+        location.display(),
+        start.elapsed().as_secs_f32()
+    )
+}