Add linear performance test to verify ReDoS mitigation in PermitScrubber

rails · Aug 13, 2024 · 7d7a2a6 · 7d7a2a6
1 parent 798ea0c
commit 7d7a2a6
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -1026,6 +1026,26 @@ def test_should_sanitize_across_newlines
       assert_equal "", sanitize_css(raw)
     end
 
+
+    def test_linear_perfomance_svg
+      seq = [5000, 10000, 20000, 40000]
+      times = []
+
+      seq.each do |n|
+        payload = "<svg><set xlink:href='#{"\n" * n}'/></svg>"
+        elapsed_time = Benchmark.realtime {
+          safe_list_sanitize(payload)
+        }
+        times << elapsed_time
+      end
+
+      # Manually check for linear performance growth
+      times.each_cons(2) do |prev_time, next_time|
+        assert_operator next_time, :<, prev_time * 4, "ReDoS vulnerability detected! Execution time increased too rapidly."
+      end
+    end
+
+
     protected
       def safe_list_sanitize(input, options = {})
         module_under_test::SafeListSanitizer.new.sanitize(input, options)