From 879d02107b5b3eb7aeaad1cd1f259bb41f17286b Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Wed, 10 Feb 2021 09:36:15 -0800
Subject: [PATCH] Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
---
.../connection_adapters/postgresql/oid/money.rb | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb b/activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb
index 357493dfc0d5..3703e9a646df 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb
@@ -26,9 +26,9 @@ def cast_value(value)
value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value
- when /^-?\D*[\d,]+\.\d{2}$/ # (1)
+ when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "")
- when /^-?\D*[\d.]+,\d{2}$/ # (2)
+ when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end