fix: add recursion depth limit to avoid runaway runtimes or stackoverflows.

This is important as `.gitattributes` and` .gitignore` files can contain arbitrary
patterns which might be used to attack clients or servers for that matter.

Author: Byron

gix-glob/src/wildmatch.rs

@@ -22,6 +22,7 @@ pub(crate) mod function {
         NoMatch,
         AbortAll,
         AbortToStarStar,
+        RecursionLimitReached,
     }
 
     const STAR: u8 = b'*';
@@ -32,8 +33,13 @@ pub(crate) mod function {
     const COLON: u8 = b':';
 
     const NEGATE_CLASS: u8 = b'!';
+    /// Setting this limit to something reasonable means less compute time spent on unnecessarily complex patterns, or malicious ones.
+    const RECURSION_LIMIT: usize = 64;
 
-    fn match_recursive(pattern: &BStr, text: &BStr, mode: Mode) -> Result {
+    fn match_recursive(pattern: &BStr, text: &BStr, mode: Mode, depth: usize) -> Result {
+        if depth == RECURSION_LIMIT {
+            return RecursionLimitReached;
+        }
         use self::Result::*;
         let possibly_lowercase = |c: &u8| {
             if mode.contains(Mode::IGNORE_CASE) {
@@ -89,7 +95,12 @@ pub(crate) mod function {
                                     })
                                 {
                                     if next.map_or(NoMatch, |(idx, _)| {
-                                        match_recursive(pattern[idx + 1..].as_bstr(), text[t_idx..].as_bstr(), mode)
+                                        match_recursive(
+                                            pattern[idx + 1..].as_bstr(),
+                                            text[t_idx..].as_bstr(),
+                                            mode,
+                                            depth + 1,
+                                        )
                                     }) == Match
                                     {
                                         return Match;
@@ -152,7 +163,7 @@ pub(crate) mod function {
                                 return NoMatch;
                             }
                         }
-                        let res = match_recursive(pattern[p_idx..].as_bstr(), text[t_idx..].as_bstr(), mode);
+                        let res = match_recursive(pattern[p_idx..].as_bstr(), text[t_idx..].as_bstr(), mode, depth + 1);
                         if res != NoMatch {
                             if !match_slash || res != AbortToStarStar {
                                 return res;
@@ -352,6 +363,10 @@ pub(crate) mod function {
     ///
     /// `mode` can be used to adjust the way the matching is performed.
     pub fn wildmatch(pattern: &BStr, value: &BStr, mode: Mode) -> bool {
-        match_recursive(pattern, value, mode) == Result::Match
+        let res = match_recursive(pattern, value, mode, 0);
+        if res == Result::RecursionLimitReached {
+            gix_features::trace::error!("Recursion limit of {} reached for pattern '{pattern}'", RECURSION_LIMIT);
+        }
+        res == Result::Match
     }
 }

gix-glob/tests/fixtures/fuzzed/many-stars.pattern

@@ -326,15 +326,16 @@ fn single_paths_match_anywhere() {
 }
 
 #[test]
-fn exponential_runaway_denial_of_service() {
+fn fuzzed_exponential_runaway_denial_of_service() {
     // original: "?[at(/\u{1d}\0\u{4}\u{14}\0[[[[:[\0\0\0\0\0\0\0\0Wt(/\u{1d}\0\u{4}\u{14}\0[[[[:[\0\0\0\0\0\0\0\0\0\0\0]"
     //  reduced: "[[:[:]"
     for pattern in [
-        "*?[wxxxxxx\0!t[:rt]\u{14}*",
-        "?[at(/\u{1d}\0\u{4}\u{14}\0[[[[:[\0\0\0\0\0\0\0\0\0\0/s\0\0\0*\0\0\0\0\0\0\0\0]\0\0\0\0\0\0\0\0\0",
-        "[[:digit]ab]",
-        "[[:]ab]",
-        "[[:[:x]",
+        include_bytes!("../fixtures/fuzzed/many-stars.pattern"),
+        "*?[wxxxxxx\0!t[:rt]\u{14}*".as_bytes(),
+        "?[at(/\u{1d}\0\u{4}\u{14}\0[[[[:[\0\0\0\0\0\0\0\0\0\0/s\0\0\0*\0\0\0\0\0\0\0\0]\0\0\0\0\0\0\0\0\0".as_bytes(),
+        b"[[:digit]ab]",
+        b"[[:]ab]",
+        b"[[:[:x]",
     ] {
         let pat = pat(pattern);
         match_file(&pat, "relative/path", Case::Sensitive);