Merge pull request rails#53490 from rails/rm-regexp-timeout-2

rafaelfranca · rafaelfranca · commit 6b6df4f658d0 · 2024-10-29T23:44:53.000Z
Default Regexp.timeout to 1s
diff --git a/guides/source/8_0_release_notes.md b/guides/source/8_0_release_notes.md
@@ -40,6 +40,8 @@ Please refer to the [Changelog][railties] for detailed changes.
 
 ### Notable changes
 
+*   Set `Regexp.timeout` to `1`s by default to improve security over Regexp Denial-of-Service attacks.
+
 Action Cable
 ------------
 
diff --git a/guides/source/configuring.md b/guides/source/configuring.md
@@ -62,6 +62,7 @@ Below are the default values associated with each target version. In cases of co
 
 #### Default Values for Target Version 8.0
 
+- [`Regexp.timeout`](#regexp-timeout): `1`
 - [`config.action_dispatch.strict_freshness`](#config-action-dispatch-strict-freshness): `true`
 - [`config.active_support.to_time_preserves_timezone`](#config-active-support-to-time-preserves-timezone): `:zone`
 
@@ -3164,6 +3165,11 @@ Configures the HTML sanitizer used by Action Text by setting `ActionText::Conten
 
 NOTE: `Rails::HTML5::Sanitizer` is not supported on JRuby, so on JRuby platforms Rails will fall back to `Rails::HTML4::Sanitizer`.
 
+#### `Regexp.timeout`
+
+
+See Ruby's documentation for [`Regexp.timeout=`](https://docs.ruby-lang.org/en/3.3/Regexp.html#method-c-timeout-3D).
+
 ### Configuring a Database
 
 Just about every Rails application will interact with a database. You can connect to the database by setting an environment variable `ENV['DATABASE_URL']` or by using a configuration file called `config/database.yml`.
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
@@ -344,6 +344,8 @@ def load_defaults(target_version)
           if respond_to?(:action_dispatch)
             action_dispatch.strict_freshness = true
           end
+
+          Regexp.timeout ||= 1
         when "8.1"
           load_defaults "8.0"
         else
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
@@ -4815,6 +4815,17 @@ class Foo < ApplicationRecord
       assert_instance_of ActiveJob::QueueAdapters::TestAdapter, adapter
     end
 
+    test "Regexp.timeout is set to 1s by default" do
+      app "development"
+      assert_equal 1, Regexp.timeout
+    end
+
+    test "Regexp.timeout can be configured" do
+      add_to_config "Regexp.timeout = 5"
+      app "development"
+      assert_equal 5, Regexp.timeout
+    end
+
     private
       def set_custom_config(contents, config_source = "custom".inspect)
         app_file "config/custom.yml", contents
diff --git a/tools/rail_inspector/lib/rail_inspector/visitor/framework_default.rb b/tools/rail_inspector/lib/rail_inspector/visitor/framework_default.rb
@@ -86,6 +86,14 @@ def visit_assign(node)
                 end
               @configs[target] = value
             end
+
+            def visit_opassign(node)
+              if node.operator.name == :"||="
+                visit_assign(node)
+              else
+                super
+              end
+            end
           end
 
           private
