Closed maikypedia closed 1 year ago
Hey @maikypedia Thanks for creating a Ruby query! Could you please provide at least one CVE that could (theoretically) have been found using this query?
Hello @p- 😄 , I've been searching and there seems to be no CVE related to Server Side Template Injection in Ruby (Slim or ERB). I'll continue my search and try to scan with MRVA.
Your submission is now in status Final decision.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Hey @maikypedia 👋🏾 Can you please provide your HackerOne email address for the bounty payment? You can send it privately to me Thanks
Your submission is now in status Pay.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Created Hackerone report 1928279 for bounty 468627 : [733] [Ruby]: Server Side Template Injection
Your submission is now in status Closed.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Query PR
https://github.com/github/codeql/pull/12311
Language
Ruby
CVE(s) ID list
WIP
CWE
CWE‑94: Code Injection
Report
This query covers Server Site Template Injection vulnerability, that happens when an attacker is able to inject code into the template construction which gets evaluated, leading to RCE.
I used a dataflow configuration looking for
RemoteFlowSource
flowing to the construction of templates by ERB and Slim. The query also enforce that the former construction gets rendered.In order to avoid false positives I used
StringConstCompareBarrier
andStringConstArrayInclusionCallBarrier
as barriers.Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response