From 3819f9fe80279f40639f4808bf257340548797fa Mon Sep 17 00:00:00 2001 From: Watson Date: Thu, 11 Jul 2024 14:54:06 +0900 Subject: [PATCH] Fix ReDoS by using repeated space characters inside `]>` Fix performance by removing unnecessary spaces. --- lib/rexml/parsers/baseparser.rb | 2 +- test/parse/test_attlist.rb | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 test/parse/test_attlist.rb diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb index e8f1a069..260b04d3 100644 --- a/lib/rexml/parsers/baseparser.rb +++ b/lib/rexml/parsers/baseparser.rb @@ -349,7 +349,7 @@ def pull_event contents = md[0] pairs = {} - values = md[0].scan( ATTDEF_RE ) + values = md[0].strip.scan( ATTDEF_RE ) values.each do |attdef| unless attdef[3] == "#IMPLIED" attdef.compact! diff --git a/test/parse/test_attlist.rb b/test/parse/test_attlist.rb new file mode 100644 index 00000000..e50545f0 --- /dev/null +++ b/test/parse/test_attlist.rb @@ -0,0 +1,17 @@ +require "test/unit" +require "core_assertions" + +require "rexml/document" + +module REXMLTests + class TestParseAttlist < Test::Unit::TestCase + include Test::Unit::CoreAssertions + + def test_gt_linear_performance_attlist + seq = [10000, 50000, 100000, 150000, 200000] + assert_linear_performance(seq, rehearsal: 10) do |n| + REXML::Document.new(']>') + end + end + end +end