[CVE-2021-22880] Possible DoS Vulnerability in Active Record PostgreSQL adapter

1,881 views
Skip to first unread message

Rafael França

unread,
Feb 10, 2021, 6:40:22 PM2/10/21
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected:  >= 4.2.0
Not affected:       < 4.2.0
Fixed Versions:     6.1.2.1, 6.0.3.5, 5.2.4.5

Impact
------
Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be used
in an initializer:

```
module ActiveRecord
  module ConnectionAdapters
    module PostgreSQL
      module OID # :nodoc:
        class Money < Type::Decimal # :nodoc:
          def cast_value(value)
            return value unless ::String === value

            value = value.sub(/^\((.+)\)$/, '-\1') # (4)
            case value
            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
              value.gsub!(/[^-\d.]/, "")
            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
              value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
            end

            super(value)
          end
        end
      end
    end
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 5-2-postgresql-money-dos.patch
* 6-0-postgresql-money-dos.patch
* 6-1-postgresql-money-dos.patch

Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits
-------

Thanks to @dee-see from HackerOne for reporting this issue!

5-2-postgresql-money-dos.patch
6-1-postgresql-money-dos.patch
6-0-postgresql-money-dos.patch
Reply all
Reply to author
Forward
0 new messages