Closed Sim4n6 closed 1 month ago
I summarize my learning via a newsletter format publication about this issue in here.
Your submission is now in status Test run.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Results analysis.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Final decision.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Thanks for the submission @Sim4n6 !
We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined that this query does not fulfill the criteria to be included into the CodeQL query suites and not eligible for a reward under the Bug Bounty program.
However, we find this query is a good candidate for the CodeQL-Community-Packs. We invite you to submit this query (Just the .ql
file) as pull request to the CodeQL-Community-Packs repo (into the folder ruby/src/security/CWE-770
). We think this contribution will be valuable for the community and we'd still like to offer you a $500 "thank you" reward.
Best regards and happy hacking!
Created Hackerone report 2519370 for bounty 581161 : [823] [Ruby]: Denial of Service due to the use of uncontrained integer/float
Your submission is now in status Closed.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
So unfortunate, but indeed the query deserves much more efforts... Any way it got CVE-2024-35231
Regards @sim4n6
Query PR
https://github.com/github/codeql/pull/16206
Language
Ruby
CVE(s) ID list
CWE
CWE-770: Allocation of Resources Without Limits or Throttling
Report
Application-level Denial of Service due to unconstrained use of a user controlled value (integer/float) in the allocation of a resource without limitation.
The source is a remote user controlled data, like
/?days=31
, through a vulnerable path this value without limitation reaches a ruby code that controls how many times a sync operation is repeated, like1.upto(days) do // something
. An exploit would be to issue/?days=9999999
to potentially cause an application-level denial of service remotely.I've studied the CVE-2022-23837 in sidekiq Denial of service. I have put focus on the fix commit https://github.com/sidekiq/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956. I noticed the following:
params
too. So I extended the RemoteFlowSource::Range.The condition on the number of times the operation
date.strftime()
is executed can be reached by a remote user datadays_previous
.I broadned the sink reach. The CVE fix considers limiting the pattern
A.downto(B)
but there are alsoA.upto(B)
andA.times()
.The for loop and unconditional loop appears to be of interest too, in a case like
for i in 1..days
.There was an additional flow step added for a case like the use of default value:
(days || 31).to_i
.In case the incoming user data is limited, that is not a valid hit considered by the sanitizer
underAValue
.Other cases exist that could be considered as sanitizers
A.between?(1,100)
for instance.Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link