Adds Record For facade/ignition RCE: CVE-2021-3129

[freshleafmedia]

This PR adds a record for the facade/ignition RCE vulnerability.

• https://www.ambionics.io/blog/laravel-debug-rce
• Fix MakeViewVariableOptionalSolution to disallow stream wrappers and files that do not end in .blade.php facade/ignition#334
• CVE-2021-3129 facade/ignition#353

[naderman]

Am I missing something? If I look at https://github.com/facade/ignition/tree/1.16.14 it doesn't seem to actually contain the fix? Did something go wrong with tagging there @freekmurze ?

[freshleafmedia]

@naderman Is this not the fixed code: https://github.com/facade/ignition/blob/1.16.14/src/Solutions/MakeViewVariableOptionalSolution.php#L74-L90

[naderman]

@freshleafmedia It is, but it looks to me like it's actually a version of 2.5 containing the fix that was accidentally taged as 1.16? The rest of the code is 2.5 now in the 1.16 tag too? https://github.com/facade/ignition/blob/1.16.14/CHANGELOG.md

[naderman]

Regarding your invalid bound change, it was fine to add v1 with the constraint, you just have to then add a lower bound for master at >=2.0-dev because otherwise the two branches overlap?

[freshleafmedia]

Really? I was getting an Invalid branch name "v1". error

[naderman]

That's a poorly worded error message I think. It's not the name of the branch that's invalid, it's an invalid branch definition with the name "v1":

[freshleafmedia]

I'm afraid not, It's two separate error messages. If I add a lower version constraint it shows the error:

                                                                                                                        
 [ERROR] Found 1 issue in 1 file.                                                                                       
                                                                                                                        

+------------------------------------+---------------------------+
| File                               | Issues                    |
+------------------------------------+---------------------------+
| facade/ignition/CVE-2021-3129.yaml | Invalid branch name "v1". |
+------------------------------------+---------------------------+

[freshleafmedia]

Looking at the validator it is using the regex ^([\d\.\-]+(\.x)?(\-dev)?|master)$ so only a version number, a version number suffixed by -dev or just master on its own are valid options

[naderman]

@freshleafmedia ah sorry, the name is indeed invalid, I suppose "1.x" would be an appropriate branch name to store the info on the 1.x version range, maybe @stof can shed some light on this?

[stof]

I think 1.x is the way to go indeed (assuming that there is indeed a valid fixed version for 1.x)

[valentijnscholten]

How far is this from getting merged? There seems to be active probing for this vulnerability according to greynoise:

https://twitter.com/nathanqthai/status/1367130234663940110

[naderman]

I see that the 1.16.14 release has been fixed in the meantime, so merging it now.