NumberConverter: reject scientific notation

byroot · jhawthorn · commit ee2c59e730e5 · 2026-03-23T11:18:50.000-07:00
BigDecimal support scientific notation, which allow expressing extremly large numbers with just a few bytes of input. This could be exploited to DOS a service if somehow user input is passed to number converter. [CVE-2026-33176] [GHSA-2j26-frm8-cmj9]
diff --git a/activesupport/lib/active_support/number_helper/number_converter.rb b/activesupport/lib/active_support/number_helper/number_converter.rb
@@ -180,7 +180,7 @@ def valid_bigdecimal
           when Float, Rational
             number.to_d(0)
           when String
-            BigDecimal(number, exception: false)
+            BigDecimal(number, exception: false) unless number.to_s.match?(/[de]/i)
           else
             number.to_d rescue nil
           end
diff --git a/activesupport/test/number_helper_test.rb b/activesupport/test/number_helper_test.rb
@@ -456,6 +456,18 @@ def test_number_helpers_should_return_non_numeric_param_unchanged
           assert_equal "x", number_helper.number_to_human("x")
         end
       end
+
+      def test_number_helpers_with_scientific_notation
+        [@instance_with_helpers, TestClassWithClassNumberHelpers, ActiveSupport::NumberHelper].each do |number_helper|
+          assert_equal "$123481223d98989", number_helper.number_to_currency("123481223d98989")
+          assert_equal "$11288E822220222", number_helper.number_to_currency("11288E822220222")
+          assert_equal "-$888E89789", number_helper.number_to_currency("-888E89789")
+
+          assert_equal "123481223d98989%", number_helper.number_to_percentage("123481223d98989")
+          assert_equal "11288E822220222%", number_helper.number_to_percentage("11288E822220222")
+          assert_equal "-888E89789%", number_helper.number_to_percentage("-888E89789")
+        end
+      end
     end
   end
 end
