Fix a ReDoS vulnerability in URI template matching

Author: sporkmonger

.gitignore

@@ -10,3 +10,4 @@ pkg
 specdoc
 tmp/
 vendor/
+.claude/settings.local.json

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## Addressable 2.8.10 <a name="v2.8.10">
+- fixes ReDoS vulnerability in Addressable::Template#match
+
 ## Addressable 2.8.9 <a name="v2.8.9">
 - Reduce gem size by excluding test files ([#569])
 - No need for bundler as development dependency ([#571], [5fc1d93](https://github.com/sporkmonger/addressable/commit/5fc1d93))

addressable.gemspec

@@ -1,15 +1,15 @@
 # -*- encoding: utf-8 -*-
-# stub: addressable 2.8.9 ruby lib
+# stub: addressable 2.8.10 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "addressable".freeze
-  s.version = "2.8.9".freeze
+  s.version = "2.8.10".freeze
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
-  s.metadata = { "changelog_uri" => "https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.8.9" } if s.respond_to? :metadata=
+  s.metadata = { "changelog_uri" => "https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.8.10" } if s.respond_to? :metadata=
   s.require_paths = ["lib".freeze]
   s.authors = ["Bob Aman".freeze]
-  s.date = "2026-02-27"
+  s.date = "2026-04-04"
   s.description = "Addressable is an alternative implementation to the URI implementation that is\npart of Ruby's standard library. It is flexible, offers heuristic parsing, and\nadditionally provides extensive support for IRIs and URI templates.\n".freeze
   s.email = "[email protected]".freeze
   s.extra_rdoc_files = ["README.md".freeze]
@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
   s.licenses = ["Apache-2.0".freeze]
   s.rdoc_options = ["--main".freeze, "README.md".freeze]
   s.required_ruby_version = Gem::Requirement.new(">= 2.2".freeze)
-  s.rubygems_version = "4.0.7".freeze
+  s.rubygems_version = "3.6.3".freeze
   s.summary = "URI Implementation".freeze
 
   s.specification_version = 4

lib/addressable/template.rb

@@ -39,6 +39,8 @@ class Template
       "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
     RESERVED =
       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
+    RESERVED_NO_COMMA =
+      "(?:[#{anything.delete(',')}]|%[a-fA-F0-9][a-fA-F0-9])"
     UNRESERVED =
       "(?:[#{
         Addressable::URI::CharacterClasses::UNRESERVED
@@ -1011,7 +1013,11 @@ def parse_new_template_pattern(pattern, processor = nil)
               "#{ UNRESERVED }*?"
             end
             if modifier == '*'
-              "(?<#{name}>#{group}(?:#{joiner}?#{group})*)?"
+              seg = case operator
+                    when '+', '#' then "#{RESERVED_NO_COMMA}*?"
+                    else group
+                    end
+              "(?<#{name}>#{seg}(?:#{joiner}?#{seg})*)?"
             else
               "(?<#{name}>#{group})?"
             end

lib/addressable/version.rb

@@ -23,7 +23,7 @@ module Addressable
     module VERSION
       MAJOR = 2
       MINOR = 8
-      TINY  = 9
+      TINY  = 10
 
       STRING = [MAJOR, MINOR, TINY].join('.')
     end

spec/addressable/template_spec.rb

@@ -1003,6 +1003,16 @@ def self.match(name)
           expect(subject.variables).to eq(["foo", "bar"])
         end
       end
+      context "+ operator with explode modifier" do
+        subject { Addressable::Template.new("{+foo*}") }
+        it "should match in linear time against a non-matching payload" do
+          expect do
+            Timeout.timeout(10) do
+              expect(subject.match(("a," * 1000) + " ")).to be_nil
+            end
+          end.not_to raise_error
+        end
+      end
       context ". operator" do
         subject { Addressable::Template.new("foo{.foo,bar}baz") }
         it "can match" do