Fix [CVE-2024-47889]: Avoid backtracking in ActionMailer block_format

denzelem · codener · commit 6693ba5ff31c · 2024-10-25T13:49:35.000+02:00
diff --git a/actionmailer/lib/action_mailer/mail_helper.rb b/actionmailer/lib/action_mailer/mail_helper.rb
@@ -2,16 +2,24 @@ module MailHelper
   # Uses Text::Format to take the text and format it, indented two spaces for
   # each line, and wrapped at 72 columns.
   def block_format(text)
-    formatted = text.split(/\n\r\n/).collect { |paragraph| 
+    formatted = text.split(/\n\r\n/).collect { |paragraph|
       Text::Format.new(
         :columns => 72, :first_indent => 2, :body_indent => 2, :text => paragraph
       ).format
     }.join("\n")
-    
+
     # Make list points stand on their own line
-    formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { |s| "  #{$1} #{$2.strip}\n" }
-    formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { |s| "  #{$1} #{$2.strip}\n" }
+    output = ""
+    splits = formatted.split(/(\*+|\#+)/)
+    while line = splits.shift
+      if line.start_with?("*", "#") && splits[0] && splits[0].start_with?(" ")
+        output.chomp!(" ") while output.end_with?(" ")
+        output << "  #{line} #{splits.shift.strip}\n"
+      else
+        output << line
+      end
+    end
 
-    formatted
+    output
   end
 end
diff --git a/actionmailer/test/mail_helper_test.rb b/actionmailer/test/mail_helper_test.rb
@@ -91,5 +91,36 @@ def test_use_mail_helper
     assert_match %r{  But soft!}, mail.encoded
     assert_match %r{east, and\n  Juliet}, mail.encoded
   end
+
+  def helper
+    Object.new.extend(MailHelper)
+  end
+
+  def test_block_format
+    assert_equal "  * foo\n", helper.block_format(" * foo")
+    assert_equal "  * foo\n", helper.block_format("   * foo")
+    assert_equal "  * foo\n", helper.block_format("* foo")
+    assert_equal "  * foo\n*bar\n", helper.block_format("* foo*bar")
+    assert_equal "  * foo\n  * bar\n", helper.block_format("* foo * bar")
+    assert_equal "  *\n", helper.block_format("* ")
+  end
+
+  # Test case for CVE-2024-47889
+  def test_block_format_asterisk
+    assert_nothing_raised do
+      Timeout.timeout(0.1) do
+        helper.block_format('  ' + '*' * 50_000)
+      end
+    end
+  end
+
+  # Test case for CVE-2024-47889
+  def test_block_format_hashtag
+    assert_nothing_raised do
+      Timeout.timeout(0.1) do
+        helper.block_format('  ' + '#' * 50_000)
+      end
+    end
+  end
 end
 
