From ac10b687041e12cb49a196acf79687d6f596114e Mon Sep 17 00:00:00 2001 From: Helio Cola Date: Wed, 1 Nov 2023 23:18:17 -0400 Subject: [PATCH] Add tests for CVE-2023-31606 --- spec/security/CVE-2023-31606_spec.rb | 49 ++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 spec/security/CVE-2023-31606_spec.rb diff --git a/spec/security/CVE-2023-31606_spec.rb b/spec/security/CVE-2023-31606_spec.rb new file mode 100644 index 00000000..562647cb --- /dev/null +++ b/spec/security/CVE-2023-31606_spec.rb @@ -0,0 +1,49 @@ +# https://github.com/advisories/GHSA-qcm3-vfq5-wfr2 +# https://github.com/e23e/CVE-2023-31606#readme +# https://github.com/jgarber/redcloth/issues/73 +# https://github.com/jgarber/redcloth/pull/75 + +require 'redcloth' + +describe 'CVE-2023-31606' do + + it 'process malicious html without delay' do + # INFO (Helio): inside RedCloth repo, running `$ bundle exec rspec .`, with the test below, I can't replicate, + # on my development machine, the time spent on this sample text. + # However, on the same development machine, when I run this test this code, in a test-redcloth-regexp.rb script, in a rails app + # with `gem 'RedCloth'` in it, I was able to get the results indicated in the issue (https://github.com/jgarber/redcloth/issues/73), + # by https://github.com/e23e + # Here are the outputs: + # hac@MBP tcard % time ruby test-redcloth-regexp.rb + # 0.158047 + # ruby test-redcloth-regexp.rb 0.12s user 0.11s system 82% cpu 0.279 total + # hac@MBP tcard % time ruby test-redcloth-regexp.rb + # 18.457945 + # ruby test-redcloth-regexp.rb 18.32s user 0.22s system 99% cpu 18.556 total + # hac@MBP tcard % cat !$ + # cat test-redcloth-regexp.rb + # require 'RedCloth' + # text = ' Example

") + end + +end