fix ReDoS #1823

ooooooo-q · 2022-10-08T02:29:54Z

I fixed ReDoS for Rack::Protection::IPSpoofing.
ReDOS occurs when a specially crafted header is received while using it.

PoC

ip_spoofing_benchmark.rb

require 'benchmark'

def attack_text(length)
 ("\t" * length +"\ta,a\t").split(/\s*,\s*/)
end

Benchmark.bm do |x|
  x.report { attack_text(10) }
  x.report { attack_text(100) }
  x.report { attack_text(1000) }
  x.report { attack_text(10000) }
  x.report { attack_text(100000) }
end

❯ bundle exec ruby ip_spoofing_benchmark.rb
       user     system      total        real
   0.000006   0.000001   0.000007 (  0.000005)
   0.000028   0.000000   0.000028 (  0.000027)
   0.002259   0.000012   0.002271 (  0.002272)
   0.223570   0.000703   0.224273 (  0.224464)
  22.489373   0.102019  22.591392 ( 22.658066)

olleolleolle

Thanks, this looks good!

@jkowens, this looks good to go!

fix ReDoS

441c06a

olleolleolle approved these changes Oct 9, 2022

View reviewed changes

jkowens merged commit 8ff496b into sinatra:master Oct 9, 2022

This was referenced Nov 10, 2022

Release 3.0.3 to publish ReDOS security fix #1836

Closed

Cut a release including the ReDOS vulnerability fix #1837

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix ReDoS #1823

fix ReDoS #1823

ooooooo-q commented Oct 8, 2022

olleolleolle left a comment

fix ReDoS #1823

fix ReDoS #1823

Conversation

ooooooo-q commented Oct 8, 2022

PoC

olleolleolle left a comment

Choose a reason for hiding this comment