Avoid backtracing in plain_text_for_blockquote_node

[CVE-2024-47888] Co-authored-by: ooooooo_q <ooooooo-q@users.noreply.github.com>
rails · Oct 15, 2024 · ba286c0 · ba286c0
1 parent 27121e8
commit ba286c0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/actiontext/lib/action_text/plain_text_conversion.rb b/actiontext/lib/action_text/plain_text_conversion.rb
@@ -65,7 +65,12 @@ def plain_text_for_figcaption_node(node, index)
 
       def plain_text_for_blockquote_node(node, index)
         text = plain_text_for_block(node)
-        text.sub(/\A(\s*)(.+?)(\s*)\Z/m, '\1“\2”\3')
+        return "“”" if text.blank?
+
+        text = text.dup
+        text.insert(text.rindex(/\S/) + 1, "”")
+        text.insert(text.index(/\S/), "“")
+        text
       end
 
       def plain_text_for_li_node(node, index)

diff --git a/actiontext/test/unit/plain_text_conversion_test.rb b/actiontext/test/unit/plain_text_conversion_test.rb
@@ -17,6 +17,20 @@ class ActionText::PlainTextConversionTest < ActiveSupport::TestCase
     )
   end
 
+  test "<blockquote> tag with whitespace" do
+    assert_converted_to(
+      "   “Hello world!” ",
+      "<blockquote>   Hello world! </blockquote>"
+    )
+  end
+
+  test "<blockquote> tag with only whitespace" do
+    assert_converted_to(
+      "“”",
+      "<blockquote> </blockquote>"
+    )
+  end
+
   test "<ol> tags are separated by two new lines" do
     assert_converted_to(
       "Hello world!\n\n1. list1\n\n1. list2\n\nHow are you?",