Possible ReDos in the AddressGateway class

braintree / braintree_ruby

Braintree Ruby library

https://developer.paypal.com/braintree/docs/start/overview

MIT License

446 stars 195 forks source link

Possible ReDos in the AddressGateway class #232

Closed Akash-Karmakar-e3082 closed 1 year ago

Akash-Karmakar-e3082 commented 1 year ago

General information

SDK/Library version: 2.10.0
Environment: production
Language, the language version, and OS: ruby-2.3.8

Issue description There is a possible ReDos in the regex when a crafted payload is fed: https://github.com/braintree/braintree_ruby/blob/master/lib/braintree/address_gateway.rb#L16

hollabaq86 commented 1 year ago

👋 @Akash-Karmakar-e3082 thanks for reaching out. It looks like you're testing in a pretty old version of Ruby and the SDK. Do you encounter the same issue after updating to v3 of the Ruby SDK?

I'm currently unable to replicate this in a test container that's running Ruby 3.0.1 and the latest version of the SDK

Akash-Karmakar-e3082 commented 1 year ago

@hollabaq86 I believe, the issue is reproducible only in the lower version of Ruby. From the 3.2 series of Ruby, it provides a built-in timeout handler (https://blog.kiprosh.com/ruby-3-2-0-introduce/), so it won't be an issue for the higher version of ruby. Can we have a CVE for the lower version, as many applications might be using it?

hollabaq86 commented 1 year ago

@Akash-Karmakar-e3082 I recommend submitting a report via Hackerone so that our security team can review and advise us on next steps.