From 7d7a2a600b332372eaa50f823bddb941d9f55469 Mon Sep 17 00:00:00 2001
From: ch4n3-yoon <ch4n3.yoon@gmail.com>
Date: Tue, 13 Aug 2024 19:36:33 +0900
Subject: [PATCH] Add linear performance test to verify ReDoS mitigation in
 PermitScrubber

---
 test/sanitizer_test.rb | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 8cfb523..0234058 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -1026,6 +1026,26 @@ def test_should_sanitize_across_newlines
       assert_equal "", sanitize_css(raw)
     end
 
+
+    def test_linear_perfomance_svg
+      seq = [5000, 10000, 20000, 40000]
+      times = []
+
+      seq.each do |n|
+        payload = "<svg><set xlink:href='#{"\n" * n}'/></svg>"
+        elapsed_time = Benchmark.realtime {
+          safe_list_sanitize(payload)
+        }
+        times << elapsed_time
+      end
+
+      # Manually check for linear performance growth
+      times.each_cons(2) do |prev_time, next_time|
+        assert_operator next_time, :<, prev_time * 4, "ReDoS vulnerability detected! Execution time increased too rapidly."
+      end
+    end
+
+
     protected
       def safe_list_sanitize(input, options = {})
         module_under_test::SafeListSanitizer.new.sanitize(input, options)