addressable 2.8.9 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -0
  3. data/lib/addressable/template.rb +13 -2
  4. data/lib/addressable/version.rb +2 -2
  5. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d530bb874824f8d1004aaea0fb9cd6721e0bd791c404fcb1a15f79f821f056b1
4
- data.tar.gz: a9f4955da072c19e998744fedd8dd12129027caae3f4854108054358ee0b740f
3
+ metadata.gz: ffaab8b78df30a2126058a425f168d76b26bc33e60849cabc1a6beabae24464d
4
+ data.tar.gz: 841ab2bd18fbcf3ff746cb85ea1661e628e278e6c7bc5ad96cd480e36a54f067
5
5
  SHA512:
6
- metadata.gz: 216c9bf5530cd1265b9418864d0ab4222ce7040c5cbb5501e6185ad44058970423f025291511cbabad3e20115dab935476af53c4e4aeffd79a7e3423f6770045
7
- data.tar.gz: 2c5ddcfa6e8e51bef14738173066debd7a54b920f68568e689d49bb0111ac0320d660440db8011912cd943f895ea0a4f62e387ac4699bde736c74db779c35845
6
+ metadata.gz: f5884313cb2c68ea73d25e8f7f0a76200030bb3fb7abad8b31532180b1ae3c1df10f8db614a273dba115c87860682d227fdf046c743370e020a577cae667d026
7
+ data.tar.gz: c97dd91446991ce20400e9b4c2586aefbc1dca9fd1d49efca9606fc505ff0d49807686ab1fdfd7d4dba447c9c4bf8fb6c0bbd5a1d3d69a4952207d035e912dc2
data/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## Addressable 2.9.0 <a name="v2.9.0">
4
+ - fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete
5
+ remediation in 2.8.10)
6
+
7
+ ## Addressable 2.8.10 <a name="v2.8.10">
8
+ - fixes ReDoS vulnerability in Addressable::Template#match
9
+
3
10
  ## Addressable 2.8.9 <a name="v2.8.9">
4
11
  - Reduce gem size by excluding test files ([#569])
5
12
  - No need for bundler as development dependency ([#571], [5fc1d93](https://github.com/sporkmonger/addressable/commit/5fc1d93))
data/lib/addressable/template.rb CHANGED
@@ -39,6 +39,8 @@ module Addressable
39
39
  "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
40
40
  RESERVED =
41
41
  "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
42
+ RESERVED_NO_COMMA =
43
+ "(?:[#{anything.delete(',')}]|%[a-fA-F0-9][a-fA-F0-9])"
42
44
  UNRESERVED =
43
45
  "(?:[#{
44
46
  Addressable::URI::CharacterClasses::UNRESERVED
@@ -985,7 +987,8 @@ module Addressable
985
987
  _, operator, varlist = *expansion.match(EXPRESSION)
986
988
  leader = Regexp.escape(LEADERS.fetch(operator, ''))
987
989
  joiner = Regexp.escape(JOINERS.fetch(operator, ','))
988
- combined = varlist.split(',').map do |varspec|
990
+ varspecs = varlist.split(',')
991
+ combined = varspecs.map do |varspec|
989
992
  _, name, modifier = *varspec.match(VARSPEC)
990
993
 
991
994
  result = processor && processor.respond_to?(:match) ? processor.match(name) : nil
@@ -1011,7 +1014,15 @@ module Addressable
1011
1014
  "#{ UNRESERVED }*?"
1012
1015
  end
1013
1016
  if modifier == '*'
1014
- "(?<#{name}>#{group}(?:#{joiner}?#{group})*)?"
1017
+ seg = case operator
1018
+ when '+', '#' then "#{RESERVED_NO_COMMA}*+"
1019
+ else group
1020
+ end
1021
+ joiner_pattern = operator.nil? ? joiner : "#{joiner}?"
1022
+ "(?<#{name}>#{seg}(?:#{joiner_pattern}#{seg})*)?"
1023
+ elsif varspecs.size > 1 && (operator == '+' || operator == '#') &&
1024
+ varspec != varspecs.last
1025
+ "(?<#{name}>#{RESERVED_NO_COMMA}*+)?"
1015
1026
  else
1016
1027
  "(?<#{name}>#{group})?"
1017
1028
  end
data/lib/addressable/version.rb CHANGED
@@ -22,8 +22,8 @@ if !defined?(Addressable::VERSION)
22
22
  module Addressable
23
23
  module VERSION
24
24
  MAJOR = 2
25
- MINOR = 8
26
- TINY = 9
25
+ MINOR = 9
26
+ TINY = 0
27
27
 
28
28
  STRING = [MAJOR, MINOR, TINY].join('.')
29
29
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: addressable
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.8.9
4
+ version: 2.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Bob Aman
@@ -53,7 +53,7 @@ homepage: https://github.com/sporkmonger/addressable
53
53
  licenses:
54
54
  - Apache-2.0
55
55
  metadata:
56
- changelog_uri: https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.8.9
56
+ changelog_uri: https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.9.0
57
57
  rdoc_options:
58
58
  - "--main"
59
59
  - README.md
@@ -70,7 +70,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
70
70
  - !ruby/object:Gem::Version
71
71
  version: '0'
72
72
  requirements: []
73
- rubygems_version: 4.0.3
73
+ rubygems_version: 4.0.6
74
74
  specification_version: 4
75
75
  summary: URI Implementation
76
76
  test_files: []