Prevent ReDOS vuln on URI Template matching

The regular expression used to match a template against a URL is vulnerable to a regular expression denial-of-service via catastrophic backtracking. This commit includes a test that demonstrates the failure without the fix as well as updates the regexp to remove the vulnerability. The vulnerability is removed by updating the grouping to be atomic.
sporkmonger · Jul 3, 2021 · b48ff03 · b48ff03
1 parent f839fb2
commit b48ff03
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb
@@ -37,7 +37,7 @@ class Template
       Addressable::URI::CharacterClasses::DIGIT + '_'
 
     var_char =
-      "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
+      "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
     RESERVED =
       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
     UNRESERVED =

diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb
@@ -19,6 +19,7 @@
 require "spec_helper"
 
 require "bigdecimal"
+require "timeout"
 require "addressable/template"
 
 shared_examples_for 'expands' do |tests|
@@ -1340,6 +1341,14 @@ def self.match(name)
         expect(subject).not_to match("foo_bar*")
         expect(subject).not_to match("foo_bar:20")
       end
+
+      it 'should parse in a reasonable time' do
+        expect do
+          Timeout.timeout(0.1) do
+            expect(subject).not_to match("0"*25 + "!")
+          end
+        end.not_to raise_error
+      end
     end
     context "VARIABLE_LIST" do
       subject { Addressable::Template::VARIABLE_LIST }