!16 fix CVE-2023-22799

From: @zxccxz Reviewed-by: @small_leek Signed-off-by: @small_leek
2023-02-15 07:43:20 +00:00 · 2023-02-15 07:43:20 +00:00 · 4b771a27ea
commit 4b771a27ea
parent 325d6436f1 fc0dfe9be0
2 changed files with 57 additions and 1 deletions
--- a/CVE-2023-22799.patch
+++ b/CVE-2023-22799.patch
@ -0,0 +1,50 @@
+From 3bc4349422e60f2235876a59dd415e98b072eb2b Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 13:32:28 -0800
+Subject: [PATCH] Fix ReDoS vulnerability in name parsing
+
+Thanks to @ooooooo_q for the patch!
+
+[CVE-2023-22799]
+---
+ lib/global_id/uri/gid.rb | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/lib/global_id/uri/gid.rb b/lib/global_id/uri/gid.rb
+index f5d52dc..3fadf4f 100644
+--- a/lib/global_id/uri/gid.rb
+++ b/lib/global_id/uri/gid.rb
+@@ -127,9 +127,6 @@ def set_params(params)
+     private
+       COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze
+ 
+-      # Extracts model_name and model_id from the URI path.
+-      PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z)
+-
+       def check_host(host)
+         validate_component(host)
+         super
+@@ -149,11 +146,11 @@ def check_scheme(scheme)
+       end
+ 
+       def set_model_components(path, validate = false)
+-        _, model_name, model_id = path.match(PATH_REGEXP).to_a
+-        model_id = CGI.unescape(model_id) if model_id
+-
+        _, model_name, model_id = path.split('/', 3)
+         validate_component(model_name) && validate_model_id(model_id, model_name) if validate
+ 
+        model_id = CGI.unescape(model_id) if model_id
+
+         @model_name = model_name
+         @model_id = model_id
+       end
+@@ -166,7 +163,7 @@ def validate_component(component)
+       end
+ 
+       def validate_model_id(model_id, model_name)
+-        return model_id unless model_id.blank?
+        return model_id unless model_id.blank? || model_id.include?('/')
+ 
+         raise MissingModelIdError, "Unable to create a Global ID for " \
+           "#{model_name} without a model id."
--- a/rubygem-globalid.spec
+++ b/rubygem-globalid.spec
@ -2,12 +2,14 @@
 %{?_with_bootstrap: %global bootstrap 1}
 Name:                rubygem-%{gem_name}
 Version:             1.0.0
-Release:             1
+Release:             2
 Summary:             Refer to any model with a URI: gid://app/class/id
 License:             MIT
 URL:                 https://github.com/rails/%{gem_name}
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/%{gem_name}/archive/v%{version}.tar.gz
+Patch0:		     CVE-2023-22799.patch
+
 BuildRequires:       ruby(release) rubygems-devel ruby >= 1.9.3
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activesupport) >= 4.1 rubygem(activemodel) >= 4.1
@ -26,6 +28,7 @@ Documentation for %{name}.

 %prep
 %setup -q -n %{gem_name}-%{version} -b 1
+%patch0 -p1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -59,6 +62,9 @@ popd
 %doc %{gem_instdir}/README.md

 %changelog
+* Tue Feb 07 2023 liyuxiang<liyuxiang@ncti-gba.cn> - 1.0.0-2
+- fix CVE-2023-22799
+
 * Tue Jan 17 2023 wangkai <wangkai385@h-partners.com> - 1.0.0-1
 - Upgrade to version 1.0.0