1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Fix possible DoS vector in PostgreSQL money type

Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter.  This patch
fixes the regexp.

Thanks to @dee-see from Hackerone for this patch!

[CVE-2021-22880]
This commit is contained in:
Aaron Patterson 2021-02-10 09:36:15 -08:00 committed by Rafael Mendonça França
parent 142745fecc
commit eddda4d8fb
No known key found for this signature in database
GPG key ID: FC23B6D0F1EEE948
2 changed files with 10 additions and 2 deletions

View file

@ -26,9 +26,9 @@ module ActiveRecord
value = value.sub(/^\((.+)\)$/, '-\1') # (4) value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value case value
when /^-?\D*[\d,]+\.\d{2}$/ # (1) when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "") value.gsub!(/[^-\d.]/, "")
when /^-?\D*[\d.]+,\d{2}$/ # (2) when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".") value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end end

View file

@ -64,6 +64,14 @@ class PostgresqlMoneyTest < ActiveRecord::PostgreSQLTestCase
assert_equal(-2.25, type.cast(+"(2.25)")) assert_equal(-2.25, type.cast(+"(2.25)"))
end end
def test_money_regex_backtracking
type = PostgresqlMoney.type_for_attribute("wealth")
Timeout.timeout(0.1) do
assert_equal(0.0, type.cast("$" + "," * 100000 + ".11!"))
assert_equal(0.0, type.cast("$" + "." * 100000 + ",11!"))
end
end
def test_sum_with_type_cast def test_sum_with_type_cast
@connection.execute("INSERT INTO postgresql_moneys (id, wealth) VALUES (1, '123.45'::money)") @connection.execute("INSERT INTO postgresql_moneys (id, wealth) VALUES (1, '123.45'::money)")