From 40f82dc38fe3f21d41b9345a26ad23ac90cf31c9 Mon Sep 17 00:00:00 2001
From: Security Curious <security-curious@pm.me>
Date: Sat, 27 Mar 2021 16:06:59 -0400
Subject: [PATCH] Prevent catastrophic backtracking during mime parsing

The regular expression used to parse the mime type can results in
catastrophic backtracking[1] allowing for a ReDOS attack[2].

This commit uses atomic grouping[3] to prevent backtracking.

1. https://www.regular-expressions.info/catastrophic.html
2. https://en.wikipedia.org/wiki/ReDoS
3. https://www.regular-expressions.info/atomic.html

[CVE-2021-22902]
---
 actionpack/lib/action_dispatch/http/mime_type.rb | 2 +-
 actionpack/test/dispatch/mime_type_test.rb       | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb
index a0f32d02c6..1d0183641d 100644
--- a/actionpack/lib/action_dispatch/http/mime_type.rb
+++ b/actionpack/lib/action_dispatch/http/mime_type.rb
@@ -229,7 +229,7 @@ def unregister(symbol)
     MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
     MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
     MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
 
     class InvalidMimeType < StandardError; end
 
diff --git a/actionpack/test/dispatch/mime_type_test.rb b/actionpack/test/dispatch/mime_type_test.rb
index b29a7f6273..d5ef7b7f53 100644
--- a/actionpack/test/dispatch/mime_type_test.rb
+++ b/actionpack/test/dispatch/mime_type_test.rb
@@ -231,6 +231,12 @@ class MimeTypeTest < ActiveSupport::TestCase
     assert_raises Mime::Type::InvalidMimeType do
       Mime::Type.new(nil)
     end
+
+    assert_raises Mime::Type::InvalidMimeType do
+      Timeout.timeout(1) do # Shouldn't take more than 1s
+        Mime::Type.new("text/html ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0;")
+      end
+    end
   end
 
   test "holds a reference to mime symbols" do
-- 
2.30.0