Avoid backtracking in ActionMailer block_format

jhawthorn · makmic · jhawthorn · commit 6fdabdf97eef · 2024-10-23T17:30:46.000-07:00
[CVE-2024-47889] Thanks to yuki_osaki and scyoon for reporting this vulnerability Co-authored-by: Michael Leimstaedtner <michael.leimstaedtner@makandra.de>
diff --git a/actionmailer/lib/action_mailer/mail_helper.rb b/actionmailer/lib/action_mailer/mail_helper.rb
@@ -25,10 +25,18 @@ def block_format(text)
       }.join("\n\n")
 
       # Make list points stand on their own line
-      formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { "  #{$1} #{$2.strip}\n" }
-      formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { "  #{$1} #{$2.strip}\n" }
+      output = +""
+      splits = formatted.split(/(\*+|\#+)/)
+      while line = splits.shift
+        if line.start_with?("*", "#") && splits.first&.start_with?(" ")
+          output.chomp!(" ") while output.end_with?(" ")
+          output << "  #{line} #{splits.shift.strip}\n"
+        else
+          output << line
+        end
+      end
 
-      formatted
+      output
     end
 
     # Access the mailer instance.
diff --git a/actionmailer/test/mail_helper_test.rb b/actionmailer/test/mail_helper_test.rb
@@ -121,4 +121,17 @@ def test_use_cache
       assert_equal "Greetings from a cache helper block", mail.body.encoded
     end
   end
+
+  def helper
+    Object.new.extend(ActionMailer::MailHelper)
+  end
+
+  def test_block_format
+    assert_equal "  * foo\n", helper.block_format(" * foo")
+    assert_equal "  * foo\n", helper.block_format("   * foo")
+    assert_equal "  * foo\n", helper.block_format("* foo")
+    assert_equal "  * foo\n*bar", helper.block_format("* foo*bar")
+    assert_equal "  * foo\n  * bar\n", helper.block_format("* foo * bar")
+    assert_equal "  *", helper.block_format("* ")
+  end
 end
