[BUG] Possible Denial of Service

Akashkarmakar787 commented 1 year ago

What I tried to do

Slow regex is being used: https://github.com/ruby-i18n/i18n/blob/master/lib/i18n/backend/interpolation_compiler.rb#L24-L25
```
TOKENIZER                    = /(%%\{[^\}]+\}|%\{[^\}]+\})/
INTERPOLATION_SYNTAX_PATTERN = /(%)?(%\{([^\}]+)\})/
```
What I expected to happen
solve the statement without taking much time.

What actually happened

Possible ReDoS. Can even crash the system in worst case
https://medium.com/@akashkarmakar787/redos-the-killer-stuff-7a28b14d80e

Versions of i18n, rails, and anything else you think is necessary

<=1.4.1. i18n affected.

Bonus points for providing an application or a small code example which reproduces the issue.

Thanks! :heart:

radar commented 1 year ago

Believe these will be fixed by #668 and #669

Akash-Karmakar-e3082 commented 1 year ago

@radar @kbrock Can we have a CVE for the issue?

kbrock commented 1 year ago

@Akash-Karmakar-e3082 you passed in a 40k character string, and it was going through character by character.

It had 4 checks per character, so it was 40k * 3 checks. It did not have any major backtraces, so it did not exhibit the O(n^2) slowdown like you had in your referenced article.

If you have reason to believe that this with exponentially take longer, please share how you came to that conclusion.

Also, can you share a quick example of why someone would localize content that was entered by a user? (An admin does not count. if the admin is nefarious, then they may as well just format the disk and be done)

ruby-i18n / i18n