Command injection in Thor::Actions#get #514
Comments
ecneladis
changed the title
|
can someone look into this? It is now published and failing in bundle-audit https://nvd.nist.gov/vuln/detail/CVE-2016-10545 |
|
To ignore this warning until a patch is available: |
|
Is someone working on this? How can we help? /cc @rafaelfranca |
|
O_0. Who asked for that CVE without discussion this with the project maintainers? |
|
@rafaelfranca I don't know, IIRC it was recorded as reported by MITRE. Just reviewed the code and the specs. I understand the vulnerability around @galori It's not trivial to disable if, say, you're using Maybe the original submitter can chime in? /cc @ecneladis |
|
@reedloden do you know who submitted that CVE? MITRE says it came from HackerOne |
|
According to specs, seamless file and url access are by design. In this case, getting |
|
Yes, this is by design. Thor is a system tool that unlikely will receive user input. Saying thor is vulnerable for command injection is the same thing than saying bash is vulnerable for command injection. |
No “patch” is available, and it’s unclear whether or not this is a legitimate vulnerability: rails/thor#514
According to rails/thor#514 nobody thinks this is actually a vulnerability. It seems unlikely to ever get "patched".
|
rubysec/ruby-advisory-db#341 - I've proposed that ruby-advisory-db remove this as the consensus here seems to be that this isn't going to get changed in Thor. |
|
Seems like we could solve the CVE complaint with a documentation-only patch, no? |
|
@bosoxbill that is reasonable to me. Feel free to open a PR, I'll merge. |
|
Pull is here: #611 |
The consensus is that it's not an exploitable vulnerability and will not be fixed in Thor (except for documentation part): rails/thor#514
The consensus is that it's not an exploitable vulnerability and will not be fixed in Thor (except for documentation part): rails/thor#514
The consensus is that it's not an exploitable vulnerability and will not be fixed in Thor (except for documentation part): rails/thor#514
Upstream does not consider this a vulnerability, as per rails/thor#514
|
Hey folks -- sorry for delayed response. First of all, based on this discussion, I've gone ahead and removed this issue from This came about because the reporter of this issue had submitted a report to RubySec a while ago to get it added to the database, and it had never been processed. I went through all submissions, and while I did confirm that this issue was still valid in the current It would have been helpful if this particular issue had not been left open for over two years. Makes it difficult for me to know how upstream would consider the report, and I generally then err on the side of caution of considering it valid. Anyway, sorry for any problems here. |
The consensus is that it's not an exploitable vulnerability and will not be fixed in Thor (except for documentation part): rails/thor#514
|
Thanks for the context. This issue was open between the change in maintainers so I missed it totally, sorry. I'll close the issue but also document on |
|
And also for deal with rejecting the CVE. |
|
@rafaelfranca If help is needed to do a triage or validate pull-requests, please let me know. |
|
Just thought I'd let you know that even though you've already merged the documentation patch to address the CVE, it appears that yesterday thor has been added to the list of vulnerabilities that Snyk reports on. I just got a notification in my email from them https://snyk.io/vuln/SNYK-RUBY-THOR-22041 - From the remediation section in there I'm guessing that bumping the release to 0.21 might keep their scanning engine happy. |
|
@jimconner Snyk should note that the CVE was rejected. I don't think the |
|
Hey all, I'm Karen, a Security Analyst @ snyk.io. |
Open-uri's open used in Thor::Actions#get allows executing system commands [1].
Documentation does not warn that source parameter is vulnerable to malicious input.
Example:
[1] http://sakurity.com/blog/2015/02/28/openuri.html
The text was updated successfully, but these errors were encountered: