pact-foundation / pact-net

.NET version of Pact. Enables consumer driven contract testing, providing a mock service and DSL for the consumer project, and interaction playback and verification for the service provider project.
https://pact.io
MIT License
848 stars 234 forks source link

Several critical and high security issues in libraries used in nuget package PactNet.OSX 3.0.2 #485

Closed larouchefrancois closed 9 months ago

larouchefrancois commented 10 months ago

Hi pact-foundation team,

Great job by the way! We really love the project!

While running SCA scans against the latest nuget package PactNet.OSX 3.0.2 it found several critical and high security issues in the bundled libraries used in the package, all for what I assume is for the support on Mac machines. I know the issues are the same for PactNet linux nuget packages.

There are:

The good news is that, it appears that all security issues have been fixed in the more recent versions of the libraries in cause (See recommendation in the table below).

I took the time to make a table with enough information to help fix the security issues

Severity CVE # Library in cause Description Recommendation Root cause
Critical CVE-2016-7954 Bundler 1.x The rubygem-bundler package is vulnerable to Improper Input Validation. The definition.rb, dsl.rb, lockfile_parser.rb and rubygems.rb files allow installing a gem from an unintended source without checking the source lines when using both rubygems.org and gems.github.com sources. A remote attacker can exploit this vulnerability by creating a malicious gem on RubyGems.org with the same name as used in another Github gem on a remote system and entice the user to install the malicious gem, which may lead to arbitrary code execution. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/definition.rb[1.3.0.pre, 1.16.0.pre.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/dsl.rb[1.3.0.pre, 1.16.0.pre.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/lockfile_parser.rb[1.3.0.pre, 1.16.0.pre.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/source/rubygems.rb[1.3.0.pre, 1.16.0.pre.1)
Critical CVE-2017-0899 RubyGems v2.6.12 and earlier The rubygems package is vulnerable to Code Injection. The format_text subroutine in text.rb and output_versions subro query_command.rb do not properly sanitize text from gem specs before printing it. An attacker can exploit this using a maliciously crafted gem spec file containing terminal escape characters, which when printed would execute terminal escape sequences. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/commands/query_command.rb[1.3.2 , 2.6.13)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/text.rb[1.3.2 , 2.6.13)
Critical CVE-2017-0903 RubyGems between v2.0.0 and v2.6.13 RubyGems (and by extension, the rubygems-update package) is vulnerable to Remote Code Execution due to unsafe YAML object deserialization. When processing gems, the read_checksums() subroutine in package.rb deserializes certain portions of the gem specification (specifically, checksums.yaml.gz) using the unsafe YAML.load function.
An attacker can exploit this vulnerability by crafting a Ruby gem containing a maliciously crafted checksums.yaml.gz file in the gem specification, which itself contains malicious serialized YAML data. When this file is deserialized by RubyGems, the malicious code will be executed and will result in Remote Code Execution.
We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/config_file.rb[2.0.0.preview2, 2.6.14)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/package.rb[2.0.0.preview2, 2.6.14)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/package/old.rb[2.0.0.preview2, 2.6.14)
Critical CVE-2022-30123 Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 The rack package is vulnerable to Command Injection. The log() subroutine in the common_logger.rb file and the check_env() subroutine in the lint.rb file fail to sanitize escape sequences within certain parameters of request data, such as the REQUEST_METHOD. A remote attacker can exploit this vulnerability by submitting crafted requests containing a combination of escape sequences and shell commands. This will result in the execution of the aforementioned commands when the Lint or CommonLogger middleware logs the request object. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/common_logger.rb[2.1.0, 2.1.4.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/lint.rb[2.1.0, 2.1.4.1)
High CVE-2019-8320 RubyGems 2.7.6 and later through 3.0.2 The rubygems-update package is vulnerable to Directory Traversal. The install_location() function in the package.rb file fails to check against symlinks and deletes the target destination when decompressing tar files. A remote authenticated attacker can exploit this by issuing a destination directory hidden behind a symlink that is actually outside of the allowed destination directory and delete critical files on the victim's machine. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. If you cannot upgrade to RubyGems 3.0.3 or 2.7.9, please use the patch for RubyGems 2.6.

Ref: https://bugs.ruby-lang.org/attachments/7669
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/package.rb[2.0.0.preview2 , 2.7.9)
High CVE-2019-8321 RubyGems 2.6 and later through 3.0.2 The rubygems-update package is vulnerable to Escape Sequence Injection. The verbose subroutine in user_interaction.rb reflects user input into messages that are placed into the console with escape sequences. An attacker can exploit this behavior to inject escape sequences into one of these messages that can potentially allow the attacker to execute command on the vulnerable system. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. If running RubyGems 2.6 there is a patch available that can mitigate this vulnerability that can be found here: https://bugs.ruby-lang.org/attachments/7669 - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/user_interaction.rb[2.3.0 , 2.7.9)
High CVE-2019-8322 RubyGems 2.6 and later through 3.0.2 The rubygems-update package is vulnerable to an Escape Sequence Injection attack. The show_owners() subroutine in the owner_command.rb file allows an attacker to inject malicious escape sequences into the API responses. The output is then be sent to stdout without any validations, making it possible for dangerous control characters to be executed. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. If you can't upgrade to later versions, consider applying this patch to RubyGems 2.6. Reference: https://bugs.ruby-lang.org/attachments/7669 - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/commands/owner_command.rb[1.3.6, 2.7.9)
High CVE-2019-8323 RubyGems 2.6 and later through 3.0.2 The rubygems-update package is vulnerable to an Escape Sequence Injection attack. The with_response() subroutine in the gemcutter_utilities.rb file allows an attacker to inject malicious escape sequences into the API responses. The output is then be sent to stdout without any validations, making it possible for dangerous control characters to be executed. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. If you can't upgrade to later versions, consider applying this patch to RubyGems 2.6.
Reference: https://bugs.ruby-lang.org/attachments/7669
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/gemcutter_utilities.rb[1.3.6, 2.7.9)
High CVE-2019-8324 RubyGems 2.6 and later through 3.0.2 The rubygems-update package is vulnerable to Remote Code Execution (RCE). The pre_install_checks() function in the installer.rb file fails to properly validate gem names before performing ensure_loadable_spec which, consequently, executes any arbitrary code within a given malicious multiline gem name during the preinstall check. A remote attacker can exploit this vulnerability by crafting and publishing a gem using a multiline gem name containing malicious code. The attacker can then entice a victim into installing the malicious gem, resulting in RCE when the preinstall check is performed. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/installer.rb[2.0.0.rc.1, 2.7.9)
High CVE-2019-8325 RubyGems 2.6 and later through 3.0.2 The rubygems-update package is vulnerable to Escape Sequence Injection. The run, process_args and load_and_instantiate subroutines in command_manager.rb doesn't validate user input when displaying error messages. An attacker can cause an error message with malicious escape sequences to potentially execute commands that wouldn't normally be possible. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. If using RubyGems 2.6, there is a patch that can be used to mitigate the vulnerability that can be found here: https://bugs.ruby-lang.org/attachments/7669 - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/command_manager.rb[0.9.3, 2.7.9)
High CVE-2020-25613 Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1 The webrick package is vulnerable to HTTP Request Smuggling. The read_body subroutine in the httprequest.rb file, when processing requests that contain both Content-Length and Transfer-Encoding: chunked headers, gives precedence to the former. Consequently, when carriage return (\r) and line feed (\n) (CRLF) characters are present in the Content-Length header, the request is split and the remainder of the request body is interpreted as a separate request. A remote attacker can leverage this behavior to smuggle requests to the server in order to bypass security controls, gain access to otherwise restricted information, hijack user sessions, or perform various other attacks. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/webrick-1.3.1/lib/webrick/httprequest.rb( ,1.4.4)
High CVE-2021-43809 Bundler before 2.2.33 The bundler package is vulnerable to Argument Injection. The checkout subroutine in the git_proxy.rb file constructs a git command without accounting for - in user input. This would result in the input being treated as an optional argument instead of a positional one. A local attacker can exploit this behavior by crafting a directory containing a Gemfile file that declares a dependency located in a Git repository via a URL in the form of -u./payload. The attacker can then share the aforementioned directory with a victim and entice them to run a bundler command that evaluates the crafted Gemfile. This will result in arbitrary code execution on the victim's machine. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/source/git/git_proxy.rb[1.3.0.pre,2.2.33)
High CVE-2022-30122 Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 The rack package is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The get_filename() subroutine in the parser.rb file uses the unsafe BROKEN_QUOTED regular expression provided by the multipart.rb file to parse filenames from multipart requests. A remote attacker can exploit this vulnerability by submitting crafted POST requests in order to cause catastrophic backtracking and ultimately a DoS condition. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/multipart.rb[2.1.0, 2.1.4.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/multipart/parser.rb[2.1.0, 2.1.4.1)
High CVE-2022-44570 Rack >= 1.5.0 The rack package is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The get_byte_ranges() subroutine in the utils.rb file uses an unsafe regular expression to parse byte ranges from Range headers of incoming HTTP requests. A remote attacker can exploit this vulnerability by submitting a request with a Range header that contains a long string of repeating numeric characters within the range-start or range-end directives. Processing this request will result in catastrophic backtracking and ultimately a DoS condition. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/utils.rb[2.1.0, 2.1.4.2)
High CVE-2022-44571 Rack 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1 The rack package is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The parser.rb and multipart.rb files use an unsafe regular expression to parse the Content-Disposition fields of multipart attachments. A remote attacker can exploit this vulnerability by submitting a multipart request with a Content-Disposition field containing a long string of repeating characters. This will result in catastrophic backtracking and ultimately a DoS condition when the application attempts to process the request. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/multipart.rb[2.1.0, 2.1.4.2)
High CVE-2022-44572 Rack 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 The rack package is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The parser.rb and multipart.rb files use unsafe regular expressions to parse attributes from incoming HTTP requests. A remote attacker can exploit this vulnerability by submitting a multipart request leveraging strings of control characters within its attributes. Processing this request may result in catastrophic backtracking and ultimately a DoS condition. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/multipart.rb[2.1.0, 2.1.4.2)
High CVE-2023-27530 Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 The rack package is vulnerable to Uncontrolled Resource Consumption. The check_open_files() subroutine in parser.rb fails to limit the total number of parts that may be uploaded in MIME multipart requests. Attackers that can make requests to an application using this library to parse MIME multipart requests may craft malicious requests that cause the parser to use all available system resources, causing the application server to crash, resulting in a Denial of Service (DoS) condition. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/multipart/parser.rb[2.1.0, 2.1.4.3)
High CVE-2023-27539 Rack > 0.4.0 The rack package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. The parse_http_accept_header() subroutine in the request.rb file uses an insecure regular expression to parse and split headers from incoming requests. An attacker can exploit this vulnerability by submitting a request with a maliciously crafted header, which when parsed will result in catastrophic backtracking, and consequently a DoS condition. We recommend upgrading to a version of this component that is not vulnerable to this specific issue. - PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/request.rb[0.4.0, 2.2.6.4)
YOU54F commented 10 months ago

PactNet is now on 4.x, and that is an older unsupported version. This was a sub-package that contained arch specific files, but is no longer required, and just the main PactNet project is.

https://www.nuget.org/packages/PactNet/4.5.0

larouchefrancois commented 10 months ago

That's great news then.

If I understand well the new 4.x version supports out of the box the Linux and OSX without the use of Ruby? In that case I'll close the ticket upon confirmation. I was actually wondering why it wasn't possible in the first place with the .Net core. But I'm sure they were good reasons.

YOU54F commented 10 months ago

pact net relies on a shared core once developed in ruby but now developed in rust.

ruby updates were not an option at the time, and still not officially today, by the main packaging maintainer but i have a fork of the packaging system which updated to the latest ruby and added additional arch.

pact-net 4.x was main lined by the point and changes are not being backported to the 3.x line

full details of the ecosystem reside here

https://docs.pact.io/diagrams/ecosystem

larouchefrancois commented 9 months ago

Thanks that makes sense.

We did test the new code and it does work as you said it would. However, the nuget package uses an older release that doesn't include the new capabilities (v3 specification and less), only the nuget package 5.0.0-beta.1 supports the new V4.

@adamrodger Hi Adam, I saw you are the main contributor on the Beta and I was wondering if you had any idea when that Beta will be in final release. Thanks in advance for your answer!

As for this issue I will close it once I have an idea when it will be fixed. As far as the nuget package goes the vulnerabilities still stand.

adamrodger commented 9 months ago

The beta is currently blocked on some changes in the FFI, and I'm not sure on the progress of those.

Basically the problem is that pact files should be able to contain both regular HTTP interactions and messaging interactions within the same file, but currently if you try to do that it causes a number of problems.

The API should hopefully be correct for that use case now, but if you try to use it then there are errors. Separate files still works fine though and I've been using 5.0.0-beta.1 in production ever since it was released with no issues.

Also I want to replace Newtonsoft with System.Text.Json (see the RFCs in the issues tracker) which would be a breaking change, hence not releasing 5.x when there's potential breaking changes pending.

adamrodger commented 9 months ago

By the way - this particular issue won't be fixed. The 3.x series is now deprecated and won't receive further updates.