packages/rubygem-addressable
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-32740

Browse Source
This commit is contained in:
programmer12 2021-07-14 17:17:15 +08:00
parent 55cceaca31
commit 83bd148cf3
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
CVE-2021-32740.patch Normal file
View File

@ -0,0 +1,57 @@
From b48ff03347a6d46e8dc674e242ce74c6381962a5 Mon Sep 17 00:00:00 2001
From: Security Curious <security-curious@pm.me>
Date: Fri, 2 Jul 2021 15:30:02 -0400
Subject: [PATCH] Prevent ReDOS vuln on URI Template matching
The regular expression used to match a template against a URL is
vulnerable to a regular expression denial-of-service via catastrophic
backtracking.
This commit includes a test that demonstrates the failure without
the fix as well as updates the regexp to remove the vulnerability.
The vulnerability is removed by updating the grouping to be atomic.
---
lib/addressable/template.rb | 2 +-
spec/addressable/template_spec.rb | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb
index 2696695..45967ce 100644
--- a/lib/addressable/template.rb
+++ b/lib/addressable/template.rb
@@ -37,7 +37,7 @@ class Template
Addressable::URI::CharacterClasses::DIGIT + '_'
var_char =
- "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
+ "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
RESERVED =
"(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
UNRESERVED =
diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb
index a019165..d47589a 100644
--- a/spec/addressable/template_spec.rb
+++ b/spec/addressable/template_spec.rb
@@ -19,6 +19,7 @@
require "spec_helper"
require "bigdecimal"
+require "timeout"
require "addressable/template"
shared_examples_for 'expands' do |tests|
@@ -1340,6 +1341,14 @@ def self.match(name)
expect(subject).not_to match("foo_bar*")
expect(subject).not_to match("foo_bar:20")
end
+
+ it 'should parse in a reasonable time' do
+ expect do
+ Timeout.timeout(0.1) do
+ expect(subject).not_to match("0"*25 + "!")
+ end
+ end.not_to raise_error
+ end
end
context "VARIABLE_LIST" do
subject { Addressable::Template::VARIABLE_LIST }

7
rubygem-addressable.spec
View File

@ -1,7 +1,7 @@
%global gem_name addressable %global gem_name addressable
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.5.2 Version: 2.5.2
Release: 1 Release: 2
Summary: URI Implementation Summary: URI Implementation
License: ASL 2.0 License: ASL 2.0
URL: https://github.com/sporkmonger/addressable URL: https://github.com/sporkmonger/addressable
@ -13,6 +13,7 @@ BuildArch: noarch
Patch0: no-rack-mount.patch Patch0: no-rack-mount.patch
# Comment out failing tests # Comment out failing tests
Patch1: fix_addressable_tests.patch Patch1: fix_addressable_tests.patch
Patch2: CVE-2021-32740.patch
%description %description
Addressable is a replacement for the URI implementation that is part of Addressable is a replacement for the URI implementation that is part of
Ruby's standard library. It more closely conforms to the relevant RFCs and Ruby's standard library. It more closely conforms to the relevant RFCs and
@ -31,6 +32,7 @@ gem unpack %{SOURCE0}
gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
%patch0 %patch0
%patch1 %patch1
%patch2 -p1
%build %build
gem build %{gem_name}.gemspec gem build %{gem_name}.gemspec
@ -68,5 +70,8 @@ popd
%{gem_instdir}/spec %{gem_instdir}/spec
%changelog %changelog
* Wed Jul 14 2021 liwu <liwu13@huawei.com> - 2.5.2-2
- fix CVE-2021-32740
* Tue Aug 18 2020 shenleizhao <shenleizhao@huawei.com> - 2.5.2-1 * Tue Aug 18 2020 shenleizhao <shenleizhao@huawei.com> - 2.5.2-1
- package init - package init