From fc0dfe9be03a32641f41c3214cc81a502ec438b2 Mon Sep 17 00:00:00 2001
From: liyuxiang <liyuxiang@ncti-gba.cn>
Date: Tue, 14 Feb 2023 01:37:11 +0800
Subject: [PATCH] CVE-2023-22799

---
 CVE-2023-22799.patch  | 50 +++++++++++++++++++++++++++++++++++++++++++
 rubygem-globalid.spec |  8 ++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-22799.patch

diff --git a/CVE-2023-22799.patch b/CVE-2023-22799.patch
new file mode 100644
index 0000000..6384d95
--- /dev/null
+++ b/CVE-2023-22799.patch
@@ -0,0 +1,50 @@
+From 3bc4349422e60f2235876a59dd415e98b072eb2b Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Tue, 17 Jan 2023 13:32:28 -0800
+Subject: [PATCH] Fix ReDoS vulnerability in name parsing
+
+Thanks to @ooooooo_q for the patch!
+
+[CVE-2023-22799]
+---
+ lib/global_id/uri/gid.rb | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/lib/global_id/uri/gid.rb b/lib/global_id/uri/gid.rb
+index f5d52dc..3fadf4f 100644
+--- a/lib/global_id/uri/gid.rb
++++ b/lib/global_id/uri/gid.rb
+@@ -127,9 +127,6 @@ def set_params(params)
+     private
+       COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze
+ 
+-      # Extracts model_name and model_id from the URI path.
+-      PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z)
+-
+       def check_host(host)
+         validate_component(host)
+         super
+@@ -149,11 +146,11 @@ def check_scheme(scheme)
+       end
+ 
+       def set_model_components(path, validate = false)
+-        _, model_name, model_id = path.match(PATH_REGEXP).to_a
+-        model_id = CGI.unescape(model_id) if model_id
+-
++        _, model_name, model_id = path.split('/', 3)
+         validate_component(model_name) && validate_model_id(model_id, model_name) if validate
+ 
++        model_id = CGI.unescape(model_id) if model_id
++
+         @model_name = model_name
+         @model_id = model_id
+       end
+@@ -166,7 +163,7 @@ def validate_component(component)
+       end
+ 
+       def validate_model_id(model_id, model_name)
+-        return model_id unless model_id.blank?
++        return model_id unless model_id.blank? || model_id.include?('/')
+ 
+         raise MissingModelIdError, "Unable to create a Global ID for " \
+           "#{model_name} without a model id."
diff --git a/rubygem-globalid.spec b/rubygem-globalid.spec
index b437ea5..37f7dcb 100644
--- a/rubygem-globalid.spec
+++ b/rubygem-globalid.spec
@@ -2,12 +2,14 @@
 %{?_with_bootstrap: %global bootstrap 1}
 Name:                rubygem-%{gem_name}
 Version:             1.0.0
-Release:             1
+Release:             2
 Summary:             Refer to any model with a URI: gid://app/class/id
 License:             MIT
 URL:                 https://github.com/rails/%{gem_name}
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/%{gem_name}/archive/v%{version}.tar.gz
+Patch0:		     CVE-2023-22799.patch
+
 BuildRequires:       ruby(release) rubygems-devel ruby >= 1.9.3
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activesupport) >= 4.1 rubygem(activemodel) >= 4.1
@@ -26,6 +28,7 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version} -b 1
+%patch0 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -59,6 +62,9 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
+* Tue Feb 07 2023 liyuxiang<liyuxiang@ncti-gba.cn> - 1.0.0-2
+- fix CVE-2023-22799
+
 * Tue Jan 17 2023 wangkai <wangkai385@h-partners.com> - 1.0.0-1
 - Upgrade to version 1.0.0