Fix ReDoS vulnerability in name parsing

Thanks to @ooooooo_q for the patch! [CVE-2023-22799]
rails · Jan 17, 2023 · 3bc4349 · 3bc4349
1 parent 93150b1
commit 3bc4349
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/lib/global_id/uri/gid.rb b/lib/global_id/uri/gid.rb
@@ -127,9 +127,6 @@ def set_params(params)
     private
       COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze
 
-      # Extracts model_name and model_id from the URI path.
-      PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z)
-
       def check_host(host)
         validate_component(host)
         super
@@ -149,11 +146,11 @@ def check_scheme(scheme)
       end
 
       def set_model_components(path, validate = false)
-        _, model_name, model_id = path.match(PATH_REGEXP).to_a
-        model_id = CGI.unescape(model_id) if model_id
-
+        _, model_name, model_id = path.split('/', 3)
         validate_component(model_name) && validate_model_id(model_id, model_name) if validate
 
+        model_id = CGI.unescape(model_id) if model_id
+
         @model_name = model_name
         @model_id = model_id
       end
@@ -166,7 +163,7 @@ def validate_component(component)
       end
 
       def validate_model_id(model_id, model_name)
-        return model_id unless model_id.blank?
+        return model_id unless model_id.blank? || model_id.include?('/')
 
         raise MissingModelIdError, "Unable to create a Global ID for " \
           "#{model_name} without a model id."