From 0dbb8eb72aa78b7ed0b01533388e69722d16b821 Mon Sep 17 00:00:00 2001
From: nick evans <nick@rubinick.dev>
Date: Wed, 8 Jan 2025 22:06:47 -0500
Subject: [PATCH 3/5] =?UTF-8?q?=F0=9F=94=92=20Prevent=20runaway=20memory?=
 =?UTF-8?q?=20use=20when=20parsing=20uid-set?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reference:https://github.com/ruby/net-imap/commit/0dbb8eb72aa78b7ed0b01533388e69722d16b821
Conflict:not change test, the test/net/imap/ directory doesn't exist.

Problem
=========

The UID sets in UIDPlusData are stored as arrays of UIDs.  In common
scenarios, copying between one and a few hundred emails at a time, this
is barely noticable.  But the memory use expands _exponentially_.

This should not be an issue for _trusted_ servers, and (I assume)
compromised servers will be more interested in evading detection and
stealing your credentials and your email than in causing client Denial
of Service.  Nevertheless, this is a very simple DoS attack against
clients connecting to untrusted servers (for example, a service that
connects to user-specified servers).

For example, assuming a 64-bit architecture, considering only the data
in the two arrays, assuming the arrays' internal capacity is no more
than needed, and ignoring the fixed cost of the response structs:
* 32 bytes expands to ~160KB (about 5000 times more):
  `"* OK [COPYUID 1 1:9999 1:9999]\r\n"`
* 40 bytes expands to ~1.6GB (about 50 million times more):
  `"* OK [COPYUID 1 1:99999999 1:99999999]\r\n"`
* In the worst scenario (uint32 max), 44 bytes expands to 64GiB in
  memory, using over 1.5 billion times more to store than to send:
  `"* OK [COPYUID 1 1:4294967295 1:4294967295]\r\n"`

Preferred fix
===============

The preferred fix is to store `uid-set` as a SequenceSet, not an array.
Unfortunately, this is not fully backwards compatible.  For v0.4 and
v0.5, use `Config#parser_use_deprecated_uidplus_data` to false to use
AppendUIDData and CopyUIDData instead of UIDPlusData.  Unless you are
_using_ UIDPLUS, this is completely safe.  v0.6 will drop UIDPlusData.

Workaround
============

The simplest _partial_ fix (preserving full backward compatibility) is
to raise an error when the number of UIDs goes over some threshold, and
continue using arrays inside UIDPlusData.

For v0.3 (this commit) the maximum count is hard-coded to 10,000.  This
is high enough that it should almost never be triggered by normal usage,
and low enough to be a less extreme problem.  For v0.4 and v0.5, the
maximum array size is configurable, with a much lower default: 1000 for
v0.4 and 100 for v0.5.  These are low enough that they are _unlikely_ to
cause a problem, but v0.4 and v0.5 can also use the newer AppendUIDData
and CopyUIDData classes.

However, because unhandled responses are stored on the `#responses`
hash, this can still be a problem.  A malicious server could repeatedly
use 160Kb of client memory by sending only 32 bytes in a loop.  To fully
solve this problem, a response handler must be added to prune excessive
APPENDUID/COPYUID responses as they are received.

Because unhandled responses have always been retained, managing
unhandled responses is already documented as necessary for long-lived
connections.
---
 .../lib/net/imap/response_parser.rb           | 26 ++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/.bundle/gems/net-imap-0.3.4/lib/net/imap/response_parser.rb b/.bundle/gems/net-imap-0.3.4/lib/net/imap/response_parser.rb
index be1a849..0341356 100644
--- a/.bundle/gems/net-imap-0.3.4/lib/net/imap/response_parser.rb
+++ b/.bundle/gems/net-imap-0.3.4/lib/net/imap/response_parser.rb
@@ -7,6 +7,8 @@ module Net
 
     # Parses an \IMAP server response.
     class ResponseParser
+      MAX_UID_SET_SIZE = 10_000
+
       # :call-seq: Net::IMAP::ResponseParser.new -> Net::IMAP::ResponseParser
       def initialize
         @str = nil
@@ -1379,11 +1381,29 @@ module Net
         case token.symbol
         when T_NUMBER then [Integer(token.value)]
         when T_ATOM
-          token.value.split(",").flat_map {|range|
-            range = range.split(":").map {|uniqueid| Integer(uniqueid) }
-            range.size == 1 ? range : Range.new(range.min, range.max).to_a
+          entries = uid_set__ranges(token.value)
+          if (count = entries.sum(&:count)) > MAX_UID_SET_SIZE
+            parse_error("uid-set is too large: %d > 10k", count)
+          end
+          entries.flat_map(&:to_a)
+        end
+      end
+
+      # returns an array of ranges
+      def uid_set__ranges(uidset)
+        entries = []
+        uidset.split(",") do |entry|
+          uids = entry.split(":", 2).map {|uid|
+            unless uid =~ /\A[1-9][0-9]*\z/
+              parse_error("invalid uid-set uid: %p", uid)
+            end
+            uid = Integer(uid)
+            NumValidator.ensure_nz_number(uid)
+            uid
           }
+          entries << Range.new(*uids.minmax)
         end
+        entries
       end
 
       def nil_atom
-- 
2.27.0