trace_09f1a254901a43e49406c2e976272a16

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start from `pkg/modules/chromium/routes.go` and trace how user-controlled `extraHttpHeaders` input reaches the `scope` regex handling in `FormDataChromiumOptions`. Show, with grounded code evidence, that the vulnerable commit compiles a user-supplied `regexp2` pattern without a `MatchTimeout`, and explain why that creates a ReDoS / worker-hang condition for Chromium form endpoints such as `/forms/chromium/screenshot/url`. Avoid speculative impact beyond denial of service.

{
  "executiveSummary": "The Gotenberg API's Chromium form endpoints (including `/forms/chromium/screenshot/url`, `/forms/chromium/convert/url`, etc.) are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. User-controlled `extraHttpHeaders` scope patterns are compiled with the `regexp2` library without setting a `MatchTimeout`, enabling attackers to submit malicious regex patterns that cause unbounded CPU consumption and indefinite worker hangs.",
  "reports": [
    {
      "title": "ReDoS vulnerability in extraHttpHeaders scope handling via regexp2 without timeout",
      "severity": "HIGH",
      "summary": "The `FormDataChromiumOptions` function in `pkg/modules/chromium/routes.go` compiles user-supplied regular expression patterns for the `extraHttpHeaders` scope feature using `regexp2.Compile(scope, regexp2.None)` without setting a `MatchTimeout`. This allows malicious regex patterns (e.g., catastrophic backtracking patterns) to hang the worker thread indefinitely when matching against request URLs in `listenForEventRequestPaused`.",
      "rootCauseAnalysis": "The vulnerability stems from missing timeout configuration on the `regexp2.Regexp` object. The `regexp2` library supports explicit match timeouts via `MatchTimeout` field, which is not being set. When no timeout is configured, the regex engine will attempt to match the pattern completely regardless of how long it takes. Malicious patterns such as `(a+)+$` or nested quantifiers combined with carefully crafted input strings trigger catastrophic backtracking that consumes CPU indefinitely.",
      "impact": "Attackers can submit requests to chromium form endpoints with malicious `extraHttpHeaders` scope patterns, causing the request processing worker to hang indefinitely. This results in denial of service — affected workers become unavailable for other requests until manually restarted or underlying timeout mechanisms trigger. The impact is bounded to denial of service only, not data exposure or code execution.",
      "attackPath": "1. Attacker sends HTTP POST to `/forms/chromium/screenshot/url` (or any Chromium form endpoint) with form data including `extraHttpHeaders` containing a malicious scope pattern. 2. The scope value (e.g., `^[a-z]+([a-z]+)*$`) is extracted and compiled via `regexp2.Compile(scope, regexp2.None)` without timeout. 3. The compiled regex is stored in `ExtraHttpHeader.Scope`. 4. During Chromium page loading, `listenForEventRequestPaused` iterates through headers and calls `header.Scope.MatchString(e.Request.URL)` for each request. 5. The malicious pattern triggers catastrophic backtracking against the URL, consuming 100% CPU indefinitely and hanging the worker.",
      "stepsToReproduce": [
        "Send POST request to `/forms/chromium/screenshot/url` with form field `url=https://example.com`",
        "Set `extraHttpHeaders` to JSON like `{'X-Custom-Header': 'test; scope=(a+)+$'}` or another ReDoS-susceptible pattern",
        "Observe that the req