From 4a75ecbfd73a8e92e32a1723b81a17e3136bd8fc Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 17 Jan 2023 13:32:28 -0800
Subject: [PATCH] Fix ReDoS vulnerability in name parsing

Thanks to @ooooooo_q for the patch!

[CVE-2023-22799]
---
 lib/global_id/uri/gid.rb | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/lib/global_id/uri/gid.rb b/lib/global_id/uri/gid.rb
index e9c16ef..931e3ab 100644
--- a/lib/global_id/uri/gid.rb
+++ b/lib/global_id/uri/gid.rb
@@ -123,9 +123,6 @@ def set_params(params)
     private
       COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze
 
-      # Extracts model_name and model_id from the URI path.
-      PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z)
-
       def check_host(host)
         validate_component(host)
         super
@@ -145,11 +142,11 @@ def check_scheme(scheme)
       end
 
       def set_model_components(path, validate = false)
-        _, model_name, model_id = path.match(PATH_REGEXP).to_a
-        model_id = CGI.unescape(model_id) if model_id
-
+        _, model_name, model_id = path.split('/', 3)
         validate_component(model_name) && validate_model_id(model_id, model_name) if validate
 
+        model_id = CGI.unescape(model_id) if model_id
+
         @model_name = model_name
         @model_id = model_id
       end
@@ -162,7 +159,7 @@ def validate_component(component)
       end
 
       def validate_model_id(model_id, model_name)
-        return model_id unless model_id.blank?
+        return model_id unless model_id.blank? || model_id.include?('/')
 
         raise MissingModelIdError, "Unable to create a Global ID for " \
           "#{model_name} without a model id."