Prevent ReDOS vuln on URI Template matching

security-curious · sporkmonger · commit b48ff03347a6 · 2021-07-02T18:14:57.000-07:00
The regular expression used to match a template against a URL is
vulnerable to a regular expression denial-of-service via catastrophic
backtracking.

This commit includes a test that demonstrates the failure without
the fix as well as updates the regexp to remove the vulnerability.
The vulnerability is removed by updating the grouping to be atomic.
diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb
@@ -37,7 +37,7 @@ class Template
       Addressable::URI::CharacterClasses::DIGIT + '_'
 
     var_char =
-      "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
+      "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
     RESERVED =
       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
     UNRESERVED =
diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb
@@ -19,6 +19,7 @@
 require "spec_helper"
 
 require "bigdecimal"
+require "timeout"
 require "addressable/template"
 
 shared_examples_for 'expands' do |tests|
@@ -1340,6 +1341,14 @@ def self.match(name)
         expect(subject).not_to match("foo_bar*")
         expect(subject).not_to match("foo_bar:20")
       end
+
+      it 'should parse in a reasonable time' do
+        expect do
+          Timeout.timeout(0.1) do
+            expect(subject).not_to match("0"*25 + "!")
+          end
+        end.not_to raise_error
+      end
     end
     context "VARIABLE_LIST" do
       subject { Addressable::Template::VARIABLE_LIST }
