From 20a4e60814a45a287d502226b3bdeedf9ad2c735 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 4 May 2021 15:49:21 -0700 Subject: [PATCH] Prevent slow regex when parsing host authorization header The old regex could take too long when parsing an authorization header, and this could potentially cause a DoS vulnerability [CVE-2021-22904] --- .../lib/action_controller/metal/http_authentication.rb | 2 +- .../test/controller/http_token_authentication_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 0bf5cc2e50..d922ea34e2 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -407,7 +407,7 @@ def opaque(secret_key) module Token TOKEN_KEY = "token=" TOKEN_REGEX = /^(Token|Bearer)\s+/ - AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/ + AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ extend self module ControllerMethods diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb index 5940858197..ca69eb1389 100644 --- a/actionpack/test/controller/http_token_authentication_test.rb +++ b/actionpack/test/controller/http_token_authentication_test.rb @@ -88,6 +88,16 @@ def authenticate_long_credentials assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" end + test "authentication request with evil header" do + @request.env["HTTP_AUTHORIZATION"] = "Token ." + " " * (1024*80-8) + "." + Timeout.timeout(1) do + get :index + end + + assert_response :unauthorized + assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" + end + test "successful authentication request with Bearer instead of Token" do @request.env["HTTP_AUTHORIZATION"] = "Bearer lifo" get :index -- 2.30.0