Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary Variants Via Query Parameters in Field Test 0.3.0 #17

Closed
ankane opened this issue Jul 2, 2019 · 1 comment
Closed

Arbitrary Variants Via Query Parameters in Field Test 0.3.0 #17

ankane opened this issue Jul 2, 2019 · 1 comment

Comments

@ankane
Copy link
Owner

ankane commented Jul 2, 2019

Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters. This vulnerability has been assigned the CVE identifier CVE-2019-13146.

Versions Affected: 0.3.0
Fixed Versions: 0.3.1
Versions Unaffected: < 0.3.0

Impact

If an application treats variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS). For instance:

landing_page = field_test(:landing_page)
Page.where("key = '#{landing_page}'")

All users running an affected release should upgrade immediately.

@greysteil
Copy link

Thanks for field_test, and for patching this vulnerability @ankane!

I work on GitHub's security workflows team and am looking into how we can make it easier for maintainers to publicise security vulnerabilities (and fixes). I'd love your feedback if you have 5 mins to leave a comment. In particular:

  • did you consider using the "Maintainer Security Advisories" to publicise this vulnerability (and patch)?
  • if you've never heard of "Maintainer Security Advisories" there are some docs on them here. What would make you consider using them, and is there anything that would stop you using them?
  • do you have any other thoughts on the process of handling a security vulnerability?

We're trying to make the process easier, particularly for maintainers dealing with a security issue for the first time, so please feel free to mention anything that would have made the process better.

If you'd like to say anything privately you can email me on greysteil@github.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants