Fix quadratic backtracking on invalid relative URI

nobu · hsbt · commit 9010ee2536ad · 2023-06-29T10:07:35.000+09:00
https://hackerone.com/reports/1958260
diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
@@ -497,8 +497,8 @@ def initialize_regexp(pattern)
       ret = {}
 
       # for URI::split
-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
 
       # for URI::extract
       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb
@@ -87,4 +87,16 @@ def test_split
       URI.parse("foo@example:foo")
     end
   end
+
+  def test_rfc2822_parse_relative_uri
+    pre = ->(length) {
+      " " * length + "\0"
+    }
+    parser = URI::RFC2396_Parser.new
+    assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri|
+      assert_raise(URI::InvalidURIError) do
+        parser.split(uri)
+      end
+    end
+  end
 end
