If-None-Match evil regex

I was curious about the catastrophic backtracking mentioned in https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

The change is to remove a regex /\s*,\s*/ and replace it with simpler procedural processing. But this regex is pretty simple. It doesn’t seem like the ones that are used as examples in the articles on evil regexes that I’ve seen (for example, it doesn’t have obvious alternation where the regex engine has to choose how to match a character to part of the regex).

Is there really a pattern that would cause catastrophic backtracking with this simple regex?

1 Like

I’m not seeing it either. I’m guessing it is the second report down on Hacker One by wonda_tea_coffee since they thanked that user and that is the only recent report to Rails by that user on HackerOne.

Unfortunately it is redacted. I might assume they are keeping it redacted because it’s a recent vuln and they want to keep the details limited. But looking through that list the Rails project leaves a lot of stuff redacted, even stuff years old…

Worth noting that much of the family of these attacks become non issues in Ruby 3.2 due to reflex engine improvements