Merge pull request #53490 from rails/rm-regexp-timeout-2

Default Regexp.timeout to 1s
2024-10-29 19:44:10 -04:00 · 2024-10-29 19:44:10 -04:00 · 6b6df4f658
parent bb0ba7dabe
commit 6b6df4f658
5 changed files with 29 additions and 0 deletions
--- a/guides/source/8_0_release_notes.md
+++ b/guides/source/8_0_release_notes.md
@ -40,6 +40,8 @@ Please refer to the [Changelog][railties] for detailed changes.

 ### Notable changes

+*   Set `Regexp.timeout` to `1`s by default to improve security over Regexp Denial-of-Service attacks.
+
 Action Cable
 ------------

--- a/guides/source/configuring.md
+++ b/guides/source/configuring.md
@ -62,6 +62,7 @@ Below are the default values associated with each target version. In cases of co

 #### Default Values for Target Version 8.0

+- [`Regexp.timeout`](#regexp-timeout): `1`
 - [`config.action_dispatch.strict_freshness`](#config-action-dispatch-strict-freshness): `true`
 - [`config.active_support.to_time_preserves_timezone`](#config-active-support-to-time-preserves-timezone): `:zone`

@ -3164,6 +3165,11 @@ Configures the HTML sanitizer used by Action Text by setting `ActionText::Conten

 NOTE: `Rails::HTML5::Sanitizer` is not supported on JRuby, so on JRuby platforms Rails will fall back to `Rails::HTML4::Sanitizer`.

+#### `Regexp.timeout`
+
+
+See Ruby's documentation for [`Regexp.timeout=`](https://docs.ruby-lang.org/en/3.3/Regexp.html#method-c-timeout-3D).
+
 ### Configuring a Database

 Just about every Rails application will interact with a database. You can connect to the database by setting an environment variable `ENV['DATABASE_URL']` or by using a configuration file called `config/database.yml`.
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@ -344,6 +344,8 @@ module Rails
          if respond_to?(:action_dispatch)
            action_dispatch.strict_freshness = true
          end
+
+          Regexp.timeout ||= 1
        when "8.1"
          load_defaults "8.0"
        else
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@ -4815,6 +4815,17 @@ module ApplicationTests
      assert_instance_of ActiveJob::QueueAdapters::TestAdapter, adapter
    end

+    test "Regexp.timeout is set to 1s by default" do
+      app "development"
+      assert_equal 1, Regexp.timeout
+    end
+
+    test "Regexp.timeout can be configured" do
+      add_to_config "Regexp.timeout = 5"
+      app "development"
+      assert_equal 5, Regexp.timeout
+    end
+
    private
      def set_custom_config(contents, config_source = "custom".inspect)
        app_file "config/custom.yml", contents
--- a/tools/rail_inspector/lib/rail_inspector/visitor/framework_default.rb
+++ b/tools/rail_inspector/lib/rail_inspector/visitor/framework_default.rb
@ -86,6 +86,14 @@ module RailInspector
                end
              @configs[target] = value
            end
+
+            def visit_opassign(node)
+              if node.operator.name == :"||="
+                visit_assign(node)
+              else
+                super
+              end
+            end
          end

          private