1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
From 4b383e6936d7a72b5dc839f526c9a9aeb280acae Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 11 Jan 2023 10:14:55 -0800
Subject: [PATCH] Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
---
activesupport/lib/active_support/inflector/methods.rb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/activesupport/lib/active_support/inflector/methods.rb b/activesupport/lib/active_support/inflector/methods.rb
index ad136532bf..acb86fe1a4 100644
--- a/activesupport/lib/active_support/inflector/methods.rb
+++ b/activesupport/lib/active_support/inflector/methods.rb
@@ -93,8 +93,7 @@ def underscore(camel_cased_word)
return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
word = camel_cased_word.to_s.gsub("::", "/")
word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
- word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2')
- word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
+ word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
word.tr!("-", "_")
word.downcase!
word
--
2.30.2
|
