From 3d9e9fdf14e044b3ba66f909582c228a9d4ffb5c Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 4 May 2021 15:49:21 -0700 Subject: [PATCH] Prevent slow regex when parsing host authorization header The old regex could take too long when parsing an authorization header, and this could potentially cause a DoS vulnerability [CVE-2021-22904] --- .../lib/action_controller/metal/http_authentication.rb | 2 +- .../test/controller/http_token_authentication_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 01676f3237..d2e667436f 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -406,7 +406,7 @@ def opaque(secret_key) module Token TOKEN_KEY = "token=" TOKEN_REGEX = /^(Token|Bearer)\s+/ - AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/ + AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ extend self module ControllerMethods diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb index 672aa1351c..fe7b73c51a 100644 --- a/actionpack/test/controller/http_token_authentication_test.rb +++ b/actionpack/test/controller/http_token_authentication_test.rb @@ -89,6 +89,16 @@ def authenticate_long_credentials assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" end + test "authentication request with evil header" do + @request.env["HTTP_AUTHORIZATION"] = "Token ." + " " * (1024*80-8) + "." + Timeout.timeout(1) do + get :index + end + + assert_response :unauthorized + assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" + end + test "successful authentication request with Bearer instead of Token" do @request.env["HTTP_AUTHORIZATION"] = "Bearer lifo" get :index -- 2.30.0