Backport CVE-2025-46727

NiklasHae · kratob · commit 959139e8d5d6 · 2025-05-19T10:57:54.000+02:00
diff --git a/rack/lib/rack/utils.rb b/rack/lib/rack/utils.rb
@@ -30,6 +30,10 @@ module Utils
       'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec',
     ].freeze
 
+    # QueryLimitError is for errors raised when the query provided exceeds one
+    # of the query parser limits.
+    class QueryLimitError < RangeError; end
+
     # URI escapes. (CGI style space to +)
     def escape(s)
       URI.encode_www_form_component(s)
@@ -63,6 +67,8 @@ class << self
       attr_accessor :param_depth_limit
       attr_accessor :multipart_total_part_limit
       attr_accessor :multipart_file_limit
+      attr_accessor :bytesize_limit # CVE-2025-46727
+      attr_accessor :params_limit # CVE-2025-46727
 
       # multipart_part_limit is the original name of multipart_file_limit, but
       # the limit only counts parts with filenames.
@@ -87,6 +93,34 @@ class << self
     # many can lead to excessive memory use and parsing time.
     self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
 
+    # This sets the default for the maximum query string bytesize that we will attempt to parse.
+    # Attempts to use a query string that exceeds this number of bytes will result in a
+    # `Rack::Utils::QueryLimitError` exception.
+    self.bytesize_limit = (ENV['RACK_QUERY_PARSER_BYTESIZE_LIMIT'] || 4194304).to_i
+
+    # This variable sets the default for the maximum number of query
+    # parameters that we will attempt to parse. Attempts to use a
+    # query string with more than this many query parameters will result in a
+    # `Rack::Utils::QueryLimitError` exception.
+    self.params_limit = (ENV['RACK_QUERY_PARSER_PARAMS_LIMIT'] || 4096).to_i
+
+    def check_query_string(qs, sep)
+      if qs
+        if qs.bytesize > Rack::Utils.bytesize_limit
+          raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{Rack::Utils.bytesize_limit})"
+        end
+
+        if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= Rack::Utils.params_limit
+          raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{Rack::Utils.params_limit})"
+        end
+
+        qs
+      else
+        ''
+      end
+    end
+    module_function :check_query_string
+
     # Stolen from Mongrel, with some small modifications:
     # Parses a query string by breaking it up at the '&'
     # and ';' characters.  You can also use this to parse
@@ -97,7 +131,7 @@ def parse_query(qs, d = nil, &unescaper)
 
       params = KeySpaceConstrainedParams.new
 
-      (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
+      check_query_string(qs, d).split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
         next if p.empty?
         k, v = p.split('=', 2).map(&unescaper)
         next unless k || v
@@ -120,7 +154,7 @@ def parse_query(qs, d = nil, &unescaper)
     def parse_nested_query(qs, d = nil)
       params = KeySpaceConstrainedParams.new
 
-      (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
+      check_query_string(qs, d).split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
         k, v = p.split('=', 2).map { |s| unescape(s) }
 
         normalize_params(params, k, v)
diff --git a/rack/test/spec_utils.rb b/rack/test/spec_utils.rb
@@ -383,6 +383,28 @@ def kcodeu
   should "clean slash only paths" do
     Rack::Utils.clean_path_info("/").should.equal "/"
   end
+
+  should "respect bytesize_limit to specify maximum size of query string to parse" do
+    Rack::Utils.bytesize_limit = 3
+    Rack::Utils.parse_query("a=a").should.equal({"a" => "a"})
+    Rack::Utils.parse_nested_query("a=a").should.equal({"a" => "a"})
+    Rack::Utils.parse_nested_query("a=a", '&').should.equal({"a" => "a"})
+    proc { Rack::Utils.parse_query("a=aa") }.should.raise(Rack::Utils::QueryLimitError)
+    proc { Rack::Utils.parse_nested_query("a=aa") }.should.raise(Rack::Utils::QueryLimitError)
+    proc { Rack::Utils.parse_nested_query("a=aa", '&') }.should.raise(Rack::Utils::QueryLimitError)
+    Rack::Utils.bytesize_limit = 4194304
+  end
+
+  it "accepts params_limit to specify maximum number of query parameters to parse" do
+    Rack::Utils.params_limit = 2
+    Rack::Utils.parse_query("a=a&b=b").should.equal({"a" => "a", "b" => "b"})
+    Rack::Utils.parse_nested_query("a=a&b=b").should.equal({"a" => "a", "b" => "b"})
+    Rack::Utils.parse_nested_query("a=a&b=b", '&').should.equal({"a" => "a", "b" => "b"})
+    proc { Rack::Utils.parse_query("a=a&b=b&c=c") }.should.raise(Rack::Utils::QueryLimitError)
+    proc { Rack::Utils.parse_nested_query("a=a&b=b&c=c", '&') }.should.raise(Rack::Utils::QueryLimitError)
+    proc { Rack::Utils.parse_query("b[]=a&b[]=b&b[]=c") }.should.raise(Rack::Utils::QueryLimitError)
+    Rack::Utils.params_limit = 4096
+  end
 end
 
 describe Rack::Utils, "byte_range" do
