There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.
Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5
Impact
Carefully crafted input can cause the input validation in the “money” type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack.
This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Releases
The fixed releases are available at the normal locations.
Workarounds
In the case a patch can’t be applied, the following monkey patch can be used in an initializer:
module ActiveRecord
module ConnectionAdapters
module PostgreSQL
module OID # :nodoc:
class Money < Type::Decimal # :nodoc:
def cast_value(value)
return value unless ::String === value
value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value
when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "")
when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end
super(value)
end
end
end
end
end
end
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 5-2-postgresql-money-dos.patch (2.2 KB)
- 6-0-postgresql-money-dos.patch (2.2 KB)
- 6-1-postgresql-money-dos.patch (2.2 KB)
Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thanks to @dee-see from HackerOne for reporting this issue!
