From 879d02107b5b3eb7aeaad1cd1f259bb41f17286b Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Wed, 10 Feb 2021 09:36:15 -0800
Subject: [PATCH] Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
---
activerecord/test/cases/adapters/postgresql/money_test.rb | 8 ++++++++
1 files changed, 8 insertions(+)
diff --git a/activerecord/test/cases/adapters/postgresql/money_test.rb b/activerecord/test/cases/adapters/postgresql/money_test.rb
index ff2ab22a8018..a442ce6d8cbd 100644
--- a/activerecord/test/cases/adapters/postgresql/money_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/money_test.rb
@@ -62,6 +62,14 @@ def test_money_type_cast
assert_equal(-2.25, type.cast(+"(2.25)"))
end
+ def test_money_regex_backtracking
+ type = PostgresqlMoney.type_for_attribute("wealth")
+ Timeout.timeout(0.1) do
+ assert_equal(0.0, type.cast("$" + "," * 100000 + ".11!"))
+ assert_equal(0.0, type.cast("$" + "." * 100000 + ",11!"))
+ end
+ end
+
def test_schema_dumping
output = dump_table_schema("postgresql_moneys")
assert_match %r{t\.money\s+"wealth",\s+scale: 2$}, output