From 412c980450ca729ee37f90a2661f166a9665e058 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <dwi.siswanto98@gmail.com>
Date: Tue, 2 Jul 2024 11:29:28 +0700
Subject: [PATCH] Merge pull request from GHSA-cj83-2ww7-mvq7

* fix: ReDoS in the `parse_http_accept_header` method

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix: optimize HTTP Accept headers parsing

by:

* updated `parse_http_accept_header` method to
  avoid unnecessary array allocation from `map`.
* used `strip!` to modify strings in place,
  avoiding additional string allocations.
* plus, safe navigation for `parameters` to
  handle nil cases.

this improves memory efficiency in header parsing.

Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
---
 lib/rack/request.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/rack/request.rb b/lib/rack/request.rb
index b880b6ec..ccbd07da 100644
--- a/lib/rack/request.rb
+++ b/lib/rack/request.rb
@@ -642,8 +642,10 @@ module Rack
       end
 
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        header.to_s.split(',').map do |part|
+          attribute, parameters = part.split(';', 2)
+          attribute.strip!
+          parameters&.strip!
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f
-- 
2.43.0.windows.1