Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible ReDos in the read_directive method #995

Closed
Akashkarmakar787 opened this issue Apr 27, 2023 · 3 comments · Fixed by #999
Closed

Possible ReDos in the read_directive method #995

Akashkarmakar787 opened this issue Apr 27, 2023 · 3 comments · Fixed by #999

Comments

@Akashkarmakar787
Copy link

There is a possible ReDos issue
https://github.com/ruby/rdoc/blob/master/lib/rdoc/parser/ruby.rb#L2137 with string for example: '0'*54773 + '\x000:'

https://github.com/ruby/rdoc/blob/master/lib/rdoc/comment.rb#L100 with string ex: '\n'*106500100 + 'call-seq:' + 'a'*165100000
nobu added a commit to nobu/rdoc that referenced this issue Apr 29, 2023
@nobu
Fix polynominal exponential backtracking
73d3099 
Fix ruby#995
nobu added a commit to nobu/rdoc that referenced this issue Apr 29, 2023
@nobu
Fix polynominal backtracking
512b023 
Fix ruby#995
@nobu nobu mentioned this issue Apr 29, 2023
Merged
nobu added a commit to nobu/rdoc that referenced this issue Apr 29, 2023
@nobu
Fix polynominal backtracking
1311ca8 
Fix ruby#995
@nobu nobu closed this as completed in adfa7db Apr 29, 2023
matzbot pushed a commit to ruby/ruby that referenced this issue Apr 29, 2023
@nobu @matzbot
[ruby/rdoc] Fix polynominal backtracking
85a9fd1 
Fix ruby/rdoc#995

ruby/rdoc@adfa7db5b9
matzbot pushed a commit to ruby/ruby that referenced this issue Apr 29, 2023
@nobu @matzbot
[ruby/rdoc] Fix polynominal backtracking
c287116 
Fix ruby/rdoc#995

ruby/rdoc@1311ca8c50
@Akashkarmakar787
Copy link
Author

@nobu do we need to have a CVE for this?

@nobu
Copy link
Member

nobu commented Jun 9, 2023

No, we do not believe it is necessary.
Do you know services providing arbitrary documents, using RDoc and Ruby 3.1 or earlier?

@Akashkarmakar787
Copy link
Author

No, we do not believe it is necessary. Do you know services providing arbitrary documents, using RDoc and Ruby 3.1 or earlier?

I am not sure @nobu if some service provides that. But i believe it will be better if we have a CVE as user will make informed decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix ReDoS nobu/rdoc
2 participants
@nobu @Akashkarmakar787