Prevent catastrophic backtracking during mime parsing

The regular expression used to parse the mime type can results in catastrophic backtracking[1] allowing for a ReDOS attack[2]. This commit uses atomic grouping[3] to prevent backtracking. 1. https://www.regular-expressions.info/catastrophic.html 2. https://en.wikipedia.org/wiki/ReDoS 3. https://www.regular-expressions.info/atomic.html [CVE-2021-22902]
2022-11-09 12:12:34 -05:00 · 2021-03-27 16:06:59 -04:00 · 2021-03-27 16:06:59 -04:00 · b61b94181b
commit b61b94181b
parent 84643885cf
2 changed files with 7 additions and 1 deletions
--- a/actionpack/lib/action_dispatch/http/mime_type.rb
+++ b/actionpack/lib/action_dispatch/http/mime_type.rb
@ -228,7 +228,7 @@ module Mime
    MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
    MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/

    class InvalidMimeType < StandardError; end

--- a/actionpack/test/dispatch/mime_type_test.rb
+++ b/actionpack/test/dispatch/mime_type_test.rb
@ -231,6 +231,12 @@ class MimeTypeTest < ActiveSupport::TestCase
    assert_raises Mime::Type::InvalidMimeType do
      Mime::Type.new(nil)
    end
+
+    assert_raises Mime::Type::InvalidMimeType do
+      Timeout.timeout(1) do # Shouldn't take more than 1s
+        Mime::Type.new("text/html ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0;")
+      end
+    end
  end

  test "holds a reference to mime symbols" do