search

github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.39k stars 245 forks source link

[Ruby]: DOS through Decompression #776

Closed am0o0 closed 3 months ago

am0o0 commented 1 year ago

Query PR

https://github.com/github/codeql/pull/13556

Language

Ruby

CVE(s) ID list

CWE

No response

Report

Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks. Attackers can compress a huge file which created by repeated similar byte and convert it to a small compressed file. I added the only sanitizer that I think is available which is checking the size of each uncompressed zip entry. Also I added some instance of some really popular additional taint steps which I think it is good to be added as global steps.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

am0o0 commented 1 year ago

@Kwstubbs I already made the DB for gitlab vulnerable version and also I made a github repo for vulnerable version but the problem is I can't get results because of performance ( I can't run even a simple api graph node query). but you can read this related issue which can be found from this original CVE advisory link that what is the vulnerable snippet so we can test only that part of code.

am0o0 commented 1 year ago

@Kwstubbs it seems that the problem was from my local ruby codeql DB, the github repo of mine have a good DB which you can run MRVA or download it and run tests on it!

p- commented 12 months ago

Hey @amammad 👋 Could you please remove the local CodeQL sources for the zip bomb query in the PR (and only keep the remote flow sources)? Testing the query with local sources was a bit noisy, which does not fit well into a query suite where you don't want to have too many FP's. (However, for security research/testing you would want those results of course as well 😉 )

Thanks

Kwstubbs commented 12 months ago

@amammad Please do this for DOS queries of all languages. Thank you.

am0o0 commented 11 months ago

@p- @Kwstubbs I'll remove these local steps.

PS: I'm wondering about the - in the usernames :))

p- commented 11 months ago

Hey @amammad 👋

I'll remove these local steps.

I saw you likely did that in a commit on the 11th of October - is this query now ready for another test run?

am0o0 commented 11 months ago

Hi @p- Yes. This query is ready for another test run.

ghsecuritylab commented 11 months ago

Your submission is now in status Test run.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 11 months ago

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 11 months ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 3 months ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 3 months ago

Created Hackerone report 2529365 for bounty 583171 : [776] [Ruby]: DOS through Decompression

ghsecuritylab commented 3 months ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed