packages/rubygem-activerecord
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!5 fix CVE-2021-22880

Browse Source 
From: @wang_yue111
Reviewed-by: @zhanghua1831,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-03-17 14:09:51 +08:00 committed by Gitee
commit 4b2f06d67d
3 changed files with 79 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2021-22880-1.patch Normal file
View File

@ -0,0 +1,35 @@
From 63e8026805ae9e78ef44efd72e07aeca5c2244fe Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Mon, 15 Mar 2021 11:14:45 +0800
Subject: [PATCH] Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
---
lib/active_record/connection_adapters/postgresql/oid/money.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/active_record/connection_adapters/postgresql/oid/money.rb b/lib/active_record/connection_adapters/postgresql/oid/money.rb
index 6434377..3703e9a 100644
--- a/lib/active_record/connection_adapters/postgresql/oid/money.rb
+++ b/lib/active_record/connection_adapters/postgresql/oid/money.rb
@@ -26,9 +26,9 @@ module ActiveRecord
value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value
- when /^-?\D+[\d,]+\.\d{2}$/ # (1)
+ when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "")
- when /^-?\D+[\d.]+,\d{2}$/ # (2)
+ when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end
--
2.23.0

31
CVE-2021-22880-2.patch Normal file
View File

@ -0,0 +1,31 @@
From 13b0efd97b9ec1b755d011ea2d0eceee70c5ae37 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Tue, 16 Mar 2021 10:46:45 +0800
Subject: [PATCH] test CVE-2021-22880
---
.../test/cases/adapters/postgresql/money_test.rb | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb b/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb
index 61e75e7..cb31413 100644
--- a/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb
+++ b/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb
@@ -58,6 +58,14 @@ def test_money_type_cast
assert_equal(-2.25, type.cast("($2.25)".dup))
end
+ def test_money_regex_backtracking
+ type = PostgresqlMoney.type_for_attribute("wealth")
+ Timeout.timeout(0.1) do
+ assert_equal(0.0, type.cast("$" + "," * 100000 + ".11!"))
+ assert_equal(0.0, type.cast("$" + "." * 100000 + ",11!"))
+ end
+ end
+
def test_schema_dumping
output = dump_table_schema("postgresql_moneys")
assert_match %r{t\.money\s+"wealth",\s+scale: 2$}, output
--
2.23.0

17
rubygem-activerecord.spec
View File

@ -2,12 +2,15 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 5.2.4.4 Version: 5.2.4.4
Release: 1 Release: 2
Summary: Object-relational mapper framework (part of Rails) Summary: Object-relational mapper framework (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/activerecord-5.2.4.4.gem Source0: https://rubygems.org/gems/activerecord-5.2.4.4.gem
Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
Patch0: CVE-2021-22880-1.patch
Patch1: CVE-2021-22880-2.patch
Suggests: %{_bindir}/sqlite3 Suggests: %{_bindir}/sqlite3
BuildRequires: rubygems-devel rubygem(bcrypt) rubygem(activesupport) = %{version} BuildRequires: rubygems-devel rubygem(bcrypt) rubygem(activesupport) = %{version}
BuildRequires: rubygem(activemodel) = %{version} rubygem(builder) rubygem(sqlite3) BuildRequires: rubygem(activemodel) = %{version} rubygem(builder) rubygem(sqlite3)
@ -27,7 +30,11 @@ BuildArch: noarch
Documentation for %{name}. Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} %setup -q -n %{gem_name}-%{version} -b 1
%patch0 -p1
pushd %{_builddir}
%patch1 -p1
popd
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -40,8 +47,7 @@ cp -a .%{gem_dir}/* \
%check %check
pushd .%{gem_instdir} pushd .%{gem_instdir}
tar xzvf %{SOURCE1} cp -a %{_builddir}/rails-%{version}/%{gem_name}/test test
cd rails-%{version}/%{gem_name}
sed -i '/^\s*def test_too_many_binds$/ a skip' \ sed -i '/^\s*def test_too_many_binds$/ a skip' \
test/cases/bind_parameter_test.rb test/cases/bind_parameter_test.rb
sed -i '/^\s*def test_preloading_has_many_through_with_implicit_source$/ a skip' \ sed -i '/^\s*def test_preloading_has_many_through_with_implicit_source$/ a skip' \
@ -71,6 +77,9 @@ popd
%{gem_instdir}/examples %{gem_instdir}/examples
%changelog %changelog
* Tue Mar 16 2021 wangyue <wangyue92@huawei.com> - 5.2.4.4-2
- fix CVE-2021-22880
* Mon Feb 8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1 * Mon Feb 8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
- Upgrade to 5.2.4.4 - Upgrade to 5.2.4.4