trace_988b4429690b40a89176acbf4167a9ea

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start from `pkg/modules/chromium/routes.go` and trace how user-controlled `extraHttpHeaders` input reaches the `scope` regex handling in `FormDataChromiumOptions`. Show, with grounded code evidence, that the vulnerable commit compiles a user-supplied `regexp2` pattern without a `MatchTimeout`, and explain why that creates a ReDoS / worker-hang condition for Chromium form endpoints such as `/forms/chromium/screenshot/url`. Avoid speculative impact beyond denial of service.

{
  "executiveSummary": "Gotenberg allows users to submit custom regex scopes for Chromium's `extraHttpHeaders` parameter. These externally supplied patterns are compiled and matched against network requests during document conversion via the `regexp2` package without `MatchTimeout` enforcement. Evaluating complex or poorly-written regex against crafted request URLs causes catastrophic backtracking, driving CPU usage to 100% and permanently hanging background workers. This allows an unauthenticated external attacker to achieve complete Denial of Service against instances hosting the Go service.",
  "reports": [
    {
      "title": "ReDoS via Unbounded Regex Compilation in Chromium extraHttpHeaders Scope (Denial of Service)",
      "severity": "HIGH",
      "summary": "The Chromium module compiles custom Extra HTTP Header `scope` properties using the `regexp2` regular expression package without configuring a timeout. Matching malicious regex against specific target URLs causes catastrophic backtracking, resulting in remote process hanging and Denial-of-Service via unbounded resource exhaustion.",
      "rootCauseAnalysis": "Within `FormDataChromiumOptions` in `pkg/modules/chromium/routes.go`, when iterating through custom `extraHttpHeaders`, the user-supplied `scope` regex string is passed directly to `regexp2.Compile(scope, regexp2.None)` and assigned to `header.Scope`. The resulting `regexp2.Regexp` object does not have its `MatchTimeout` property populated, defaulting to no timeout.\n\nLater, in `pkg/modules/chromium/events.go`, the interceptor hook `listenForEventRequestPaused` attempts to match each Chromium CDP request URL against these scopes before allowing the outgoing HTTP request: `ok, err := header.Scope.MatchString(e.Request.URL)`. \n\nBecause an attacker can maliciously define the `scope` string along with the targeted document request string URL to trigger catastrophic backtracking, the resulting search causes an unrecoverable infinite loop. The goroutine halts evaluation instead of calling `fetch.ContinueRequest()`, locking up worker capabilities and burning CPU cycles without enforcing context deadlines.",
      "impact": "An attacker can perform a persistent Denial of Service (DoS) attack. The runaway ReDoS evaluation causes 100% CPU utilization on affected threads and prevents Chrome DevTools Protocol requests from completing. This blocks active API conversions and directly exhausts backend worker resources, making the Gotenberg processing queue unresponsive.",
      "attackPath": "1. The attacker constructs a multipart form data request aimed at any Gotenberg chromium endpoint (e.g. `/forms/chromium/screenshot/url`).\n2. The attacker sets the `extraHttpHeaders` parameter to include an invalid, backtracking-prone `scope`. (e.g. `{\"X-Header\": \"value; scope=^(a+)+$\"}`).\n3. The attacker sets the `url` parameter (or references a URL in HTML) that will trigger the worst-case evaluation for the regex (e.g. `url=\"http://example.