Please find attached three URLs that were generated by a fuzzer - all of them take more than 25s (in debug mode) to parse with url::Url::parse(long_url).
I was advised to open an issue here after getting in touch privately at first as per Security Policy.
Possible Fix
It seems feasible to limit the host-name length, which is the portion that causes long parsing times, to smaller values that can't be exploited. The current internet has limits for host-names as well which would be safe to parse.
Workaround
For now the only known way is to inspect the URL prior to passing it to url for parsing. However, at least with gix-url that's easier said than done as the fuzzer keeps finding bypasses for the extra-logic that I put into place.
Please find attached three URLs that were generated by a fuzzer - all of them take more than 25s (in debug mode) to parse with
url::Url::parse(long_url).long-urls.zip
About Security
I was advised to open an issue here after getting in touch privately at first as per Security Policy.
Possible Fix
It seems feasible to limit the host-name length, which is the portion that causes long parsing times, to smaller values that can't be exploited. The current internet has limits for host-names as well which would be safe to parse.
Workaround
For now the only known way is to inspect the URL prior to passing it to
urlfor parsing. However, at least withgix-urlthat's easier said than done as the fuzzer keeps finding bypasses for the extra-logic that I put into place.