github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.41k stars 245 forks source link

[Ruby]: Add Template Injection Sink #739

Closed maikypedia closed 1 year ago

maikypedia commented 1 year ago

Query PR

https://github.com/github/codeql/pull/12821

Language

Ruby

CVE(s) ID list

CWE

CWE‑94: Code Injection

Report

This query detects render inline: (Rails) as sink for Server Side Template Injection vulnerability, that happens when an attacker is able to inject code into the template construction which gets evaluated, leading to RCE.

Using the query with MRVA I've found a Bootstrap demo app that was vulnerable (I have to say that the application was intended to render ERB), but it can be an example that it is a dangerous sink.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

ghsecuritylab commented 1 year ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 1 year ago

Hi @maikypedia ,

Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined the CVE provided in this submission is not applicable and therefore your submission is not eligible for a reward under the Bug Bounty program.

Best regards and happy hacking!

ghsecuritylab commented 1 year ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed