Merge rexml-expansion-fix gem into activesupport.

Addresses the security issue documented at: * http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
2026-01-26 14:58:11 -05:00 · 2008-09-02 16:22:20 +02:00
parent 76797b4439
commit ebfa43c423
2 changed files with 56 additions and 0 deletions
--- a/activesupport/lib/active_support/core_ext/rexml.rb
+++ b/activesupport/lib/active_support/core_ext/rexml.rb
@@ -0,0 +1,35 @@
+require 'rexml/document'
+require 'rexml/entity'
+
+# Fixes the rexml vulnerability disclosed at:
+# http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
+# This fix is identical to rexml-expansion-fix version 1.0.1
+
+unless REXML::VERSION > "3.1.7.2"
+  module REXML
+    class Entity < Child
+      undef_method :unnormalized
+      def unnormalized
+        document.record_entity_expansion! if document
+        v = value()
+        return nil if v.nil?
+        @unnormalized = Text::unnormalize(v, parent)
+        @unnormalized
+      end
+    end
+    class Document < Element
+      @@entity_expansion_limit = 10_000
+      def self.entity_expansion_limit= val
+        @@entity_expansion_limit = val
+      end
+
+      def record_entity_expansion!
+        @number_of_expansions ||= 0
+        @number_of_expansions += 1
+        if @number_of_expansions > @@entity_expansion_limit
+          raise "Number of entity expansions exceeded, processing aborted."
+        end
+      end
+    end
+  end
+end
--- a/activesupport/test/core_ext/hash_ext_test.rb
+++ b/activesupport/test/core_ext/hash_ext_test.rb
@@ -839,6 +839,27 @@ class QueryTest < Test::Unit::TestCase
      :person => {:id => [20, 10]}
  end

+  def test_expansion_count_is_limited
+    assert_raises RuntimeError do
+      attack_xml = <<-EOT
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE member [
+        <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
+        <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
+        <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
+        <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
+        <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
+        <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
+        <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
+      ]>
+      <member>
+      &a;
+      </member>
+      EOT
+      Hash.from_xml(attack_xml)
+    end
+  end
+
  private
    def assert_query_equal(expected, actual, message = nil)
      assert_equal expected.split('&'), actual.to_query.split('&')