Open bcoles opened 3 months ago
URI.unescape is no longer supported as of Ruby 3.0 but is still used within a few modules:
URI.unescape
# grep -rn "URI.unescape" modules/ modules/exploits/multi/http/dexter_casinoloader_exec.rb:81: return Rex::Text.decode_base64(URI.unescape(res.get_cookies['response='.length..-1]))[1..-3] modules/exploits/multi/http/dexter_casinoloader_exec.rb:98: Rex::Text.decode_base64(URI.unescape(res.get_cookies['response='.length..-1])) == '$' + testvalue + ';#' and database_get_field('users', 'name', 0) != false modules/post/multi/gather/lastpass_creds.rb:333: account_map[account][browser]['lp_creds'][URI.unescape(creds[0])] = { 'lp_password' => nil } modules/post/multi/gather/lastpass_creds.rb:335: sha256_hex_email = OpenSSL::Digest::SHA256.hexdigest(URI.unescape(creds[0])) modules/post/multi/gather/lastpass_creds.rb:337: creds[1] = decrypt_data(sha256_binary_email, URI.unescape(creds[1])) modules/post/multi/gather/lastpass_creds.rb:338: account_map[account][browser]['lp_creds'][URI.unescape(creds[0])] = { 'lp_password' => creds[1] } modules/post/multi/gather/lastpass_creds.rb:554: request.set_form_data('wxsessid' => URI.unescape(session_cookie_value), 'uuid' => browser_map['lp_2fa']) modules/auxiliary/gather/ie_sandbox_findfiles.rb:132: f = URI.unescape(request.uri.gsub('/found/?f=', '')) modules/auxiliary/gather/ie_sandbox_findfiles.rb:137: f = URI.unescape(request.uri.gsub('/notfound/?f=', '')) modules/auxiliary/scanner/sap/sap_icm_urlscan.rb:175: url_dec = URI.unescape(url_enc).sub(/;/, '') modules/auxiliary/scanner/http/rails_mass_assignment.rb:47: parsed_data = queryparse(URI.unescape(datastore['DATA'])) modules/auxiliary/scanner/http/rails_mass_assignment.rb:49: parsed_data = queryparse(URI.unescape(datastore['QUERY']))
To reproduce:
msf6 > use auxiliary/scanner/http/rails_mass_assignment msf6 auxiliary(scanner/http/rails_mass_assignment) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 msf6 auxiliary(scanner/http/rails_mass_assignment) > set DATA test DATA => test msf6 auxiliary(scanner/http/rails_mass_assignment) > run [-] Auxiliary failed: NoMethodError undefined method `unescape' for URI:Module [-] Call stack: [-] /root/Desktop/metasploit-framework/modules/auxiliary/scanner/http/rails_mass_assignment.rb:47:in `run_host' [-] /root/Desktop/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:128:in `block (2 levels) in run' [-] /root/Desktop/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn' [*] Auxiliary module execution completed msf6 auxiliary(scanner/http/rails_mass_assignment) >
Thanks! For whoever picks this up, we should verify this rubocop rule is wired up correctly to make sure these method calls don't sneak in again
13356
13294
URI.unescape
is no longer supported as of Ruby 3.0 but is still used within a few modules:To reproduce: