github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.41k stars 245 forks source link

[Ruby]: Server Side Template Injection #733

Closed maikypedia closed 1 year ago

maikypedia commented 1 year ago

Query PR

https://github.com/github/codeql/pull/12311

Language

Ruby

CVE(s) ID list

WIP

CWE

CWE‑94: Code Injection

Report

This query covers Server Site Template Injection vulnerability, that happens when an attacker is able to inject code into the template construction which gets evaluated, leading to RCE.

I used a dataflow configuration looking for RemoteFlowSource flowing to the construction of templates by ERB and Slim. The query also enforce that the former construction gets rendered.

In order to avoid false positives I used StringConstCompareBarrier and StringConstArrayInclusionCallBarrier as barriers.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

p- commented 1 year ago

Hey @maikypedia Thanks for creating a Ruby query! Could you please provide at least one CVE that could (theoretically) have been found using this query?

maikypedia commented 1 year ago

Hello @p- 😄 , I've been searching and there seems to be no CVE related to Server Side Template Injection in Ruby (Slim or ERB). I'll continue my search and try to scan with MRVA.

ghsecuritylab commented 1 year ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 1 year ago

Hey @maikypedia 👋🏾 Can you please provide your HackerOne email address for the bounty payment? You can send it privately to me Thanks

ghsecuritylab commented 1 year ago

Your submission is now in status Pay.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 1 year ago

Created Hackerone report 1928279 for bounty 468627 : [733] [Ruby]: Server Side Template Injection

ghsecuritylab commented 1 year ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed