CVE-2021-22880 (activerecord): Possible DoS Vulnerability in Active Record PostgreSQL adapter

ADVISORIES

GEM

activerecord

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 5.3 (Medium)

UNAFFECTED VERSIONS

< 4.2.0

PATCHED VERSIONS

~> 5.2.4, >= 5.2.4.5
~> 6.0.3, >= 6.0.3.5
>= 6.1.2.1

DESCRIPTION

There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Workarounds

In the case a patch can’t be applied, the following monkey patch can be used in an initializer:

module ActiveRecord
  module ConnectionAdapters
    module PostgreSQL
      module OID # :nodoc:
        class Money &lt; Type::Decimal # :nodoc:
          def cast_value(value)
            return value unless ::String === value

            value = value.sub(/^\((.+)\)$/, '-\1') # (4)
            case value
            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
              value.gsub!(/[^-\d.]/, &quot;&quot;)
            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
              value.gsub!(/[^-\d,]/, &quot;&quot;).sub!(/,/, &quot;.&quot;)
            end

            super(value)
          end
        end
      end
    end
  end
end

RubySec