Fix possible DoS vector in PostgreSQL money type

Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp. Thanks to @dee-see from Hackerone for this patch! [CVE-2021-22880]
2021-02-10 09:36:15 -08:00 · 2021-02-10 09:36:15 -08:00 · eddda4d8fb
commit eddda4d8fb
parent 142745fecc
2 changed files with 10 additions and 2 deletions
--- a/activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb
@ -26,9 +26,9 @@ def cast_value(value)

            value = value.sub(/^\((.+)\)$/, '-\1') # (4)
            case value
-            when /^-?\D*[\d,]+\.\d{2}$/  # (1)
+            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
              value.gsub!(/[^-\d.]/, "")
-            when /^-?\D*[\d.]+,\d{2}$/  # (2)
+            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
              value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
            end

--- a/activerecord/test/cases/adapters/postgresql/money_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/money_test.rb
@ -64,6 +64,14 @@ def test_money_type_cast
    assert_equal(-2.25, type.cast(+"(2.25)"))
  end

+  def test_money_regex_backtracking
+    type = PostgresqlMoney.type_for_attribute("wealth")
+    Timeout.timeout(0.1) do
+      assert_equal(0.0, type.cast("$" + "," * 100000 + ".11!"))
+      assert_equal(0.0, type.cast("$" + "." * 100000 + ",11!"))
+    end
+  end
+
  def test_sum_with_type_cast
    @connection.execute("INSERT INTO postgresql_moneys (id, wealth) VALUES (1, '123.45'::money)")