Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix ReDoS vulnerability #185

Merged
merged 1 commit into from Apr 12, 2021
Merged

fix ReDoS vulnerability #185

merged 1 commit into from Apr 12, 2021

Conversation

wonda-tea-coffee
Copy link
Contributor

resolve #184

@@ -42,7 +42,7 @@ def call(value)
case value
when *FALSE_VALUES then false
when *NIL_VALUES then nil
when Numeric, /\A[-+]?(0+\.?0*|0*\.?0+)\z/ then !value.to_f.zero?
when Numeric, /\A[-+]?(0++\.?0*|0*\.?0+)\z/ then !value.to_f.zero?
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In your original issue (#184) you also changed |0* to |0*+. Is that no longer desirable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, there's been a correction.
I fixed it as per the issue.

@cgriego cgriego merged commit dab95e5 into cgriego:master Apr 12, 2021
68 checks passed
@cgriego
Copy link
Owner

cgriego commented Apr 12, 2021

Thank you. This has been released in 0.15.3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ReDoS vulnerability in ActiveAttr::Typecasting::BooleanTypecaster#call
2 participants