From 63e8026805ae9e78ef44efd72e07aeca5c2244fe Mon Sep 17 00:00:00 2001
From: wang_yue111 <[email protected]>
Date: Mon, 15 Mar 2021 11:14:45 +0800
Subject: [PATCH] Fix possible DoS vector in PostgreSQL money type

Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter.  This patch
fixes the regexp.

Thanks to @dee-see from Hackerone for this patch!

[CVE-2021-22880]
---
 lib/active_record/connection_adapters/postgresql/oid/money.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/active_record/connection_adapters/postgresql/oid/money.rb b/lib/active_record/connection_adapters/postgresql/oid/money.rb
index 6434377..3703e9a 100644
--- a/lib/active_record/connection_adapters/postgresql/oid/money.rb
+++ b/lib/active_record/connection_adapters/postgresql/oid/money.rb
@@ -26,9 +26,9 @@ module ActiveRecord
 
             value = value.sub(/^\((.+)\)$/, '-\1') # (4)
             case value
-            when /^-?\D+[\d,]+\.\d{2}$/  # (1)
+            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
               value.gsub!(/[^-\d.]/, "")
-            when /^-?\D+[\d.]+,\d{2}$/  # (2)
+            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
               value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
             end
 
-- 
2.23.0