Merge pull request #290 from Shopify/dominiqueflaaa.prevent-ReDoS

Configure Regexp timeout
Shopify · Oct 8, 2024 · 2e53778 · 2e53778
2 parents d697625 + 5d30276
commit 2e53778
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,9 +26,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Security in case of vulnerabilities.
 
 ## [Unreleased]
-
+- Nil.
 ---
 
+## [1.11.1] - 2024-10-02
+- Configure regexp timeout in Worldwide#Phone [#290](https://github.com/Shopify/worldwide/pull/290)
+
 ## [1.11.0] - 2024-10-02
 - Add address1_regex to regions [#281](https://github.com/Shopify/worldwide/pull/281)
 - Add address1_regex for BE, CL, MX, ES, IL [#282](https://github.com/Shopify/worldwide/pull/282)

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -13,7 +13,7 @@ GIT
 PATH
  remote: .
  specs:
- worldwide (1.11.0)
+ worldwide (1.11.1)
  activesupport (>= 7.0)
  i18n
  phonelib (~> 0.8)

diff --git a/lib/worldwide/phone.rb b/lib/worldwide/phone.rb
@@ -137,14 +137,19 @@ def split_extension(input)
  number = input.downcase
 
  ["ext", "x", ";"].each do |separator|
- if number.include?(separator)
- m = number.match(Regexp.new("(?<base>[0-9a-z +-]*)\\s*#{separator}\\.?\\s*(?<ext>.*)"))
- return [m["base"], m["ext"]] unless m.nil?
- end
+ next unless number.include?(separator)
+
+ m = number.match(Regexp.new(
+ "(?<base>[0-9a-z +-]*)\\s*#{separator}\\.?\\s*(?<ext>.*)",
+ timeout: 1,
+ ))
+ return [m["base"], m["ext"]] unless m.nil?
  end
 
  # If we get this far, then we have not found an extension, and assume that the full input is just a public number
  [input, nil]
+ rescue Regexp::TimeoutError
+ [input, nil]
  end
 
  # Convert exotic characters to ASCII

diff --git a/lib/worldwide/version.rb b/lib/worldwide/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Worldwide
- VERSION = "1.11.0"
+ VERSION = "1.11.1"
 end