DoS with strict-blocking filter

[vtriolet]

Prerequisites

• [x] I verified that this is not a filter issue
  • Filter issues MUST be reported at filter issue tracker
• [x] This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• [x] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported
• [x] The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
  • If the issue is still present after wholly disabling uBO in the browser, then the issue is unrelated to uBO
• I tried to reproduce the issue when...
  • [x] uBO is the only extension
  • [x] uBO with default lists/settings
  • [x] using a new, unmodified browser profile
• [x] I checked the documentation to understand that the issue I report is not a normal behavior

Description

A crafted URL that matches a strict-blocking filter can cause uBO to crash or consume a lot of memory when the URL is visited.

A specific URL where the issue occurs

A URL has been provided to gorhill via email. Details will be added later.

Steps to Reproduce

1. Navigate to the crafted URL to trigger an extension crash or excessive memory consumption, depending on the browser

Expected behavior:

The strict-blocking warning page is displayed without any issues.

Actual behavior:

uBO crashes or consumes a lot of memory, depending on the browser

Your environment

• uBlock Origin version: 1.36.0
• Browser Name and version: Firefox 89.0.2, Chromium 91.0.4472.114
• Operating System and version: Arch Linux

[gorhill]

Version 1.36.2 is now live in Chrome Web store, Firefox's AMO, Opera Web store. Once 1.36.2 is published in the Microsoft Edge store, the details of how to trigger the issue will be disclosed (cc @nikrolls).

[vtriolet]

Hi @nikrolls, is there an ETA for the Edge release? Thank you.

[gorhill]

@vtriolet If ever you go ahead publishing before 1.36.2 become available in the Microsoft store, then maybe advise that users of Edge can always install uBO from the Chrome Web Store to get the safe version (link to instructions for users on how to do this).

[nicole-ashley]

Apologies, review seems to be very slow on the Edge Addons Store right now. 1.32.0 was the same. I expect approval any day now, though I already expected approval days ago.

Additionally, I haven't received notifications for the approval of the last couple of updates. So I will just check in regularly on this one so I can update here as soon as it's ready.

[vtriolet]

Apologies, review seems to be very slow on the Edge Addons Store right now. 1.32.0 was the same. I expect approval any day now, though I already expected approval days ago.

Additionally, I haven't received notifications for the approval of the last couple of updates. So I will just check in regularly on this one so I can update here as soon as it's ready.

Thank you for preparing the Edge release. I have decided to move forward with publication because I have to focus on other work and because this issue is not really secret anymore: there are multiple tickets and fixes in public view.

@vtriolet If ever you go ahead publishing before 1.36.2 become available in the Microsoft store, then maybe advise that users of Edge can always install uBO from the Chrome Web Store to get the safe version (link to instructions for users on how to do this).

Thanks for the tip. I have included a note in my write-up: https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc

[nicole-ashley]

I've just received notification that the release has been approved for Edge. It's not showing up for me yet but this usually happens within several hours, likely due due global replication.

Update: it's now live.

[gorhill]

@vtriolet I issued an update of uMatrix with a fix, see https://github.com/gorhill/uMatrix/releases/tag/1.4.2. It has already been been approved on AMO, pending review in CWS.

[vtriolet]

@vtriolet I issued an update of uMatrix with a fix, see https://github.com/gorhill/uMatrix/releases/tag/1.4.2. It has already been been approved on AMO, pending review in CWS.

Thank you. I have updated my post with release details.