New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ruby]: ZipSlip/TarSlip vulnerability detection #728
Comments
Your submission is now in status Results analysis. For information, the evaluation workflow is the following: |
Your submission is now in status Query review. For information, the evaluation workflow is the following: |
Your submission is now in status Final decision. For information, the evaluation workflow is the following: |
Your submission is now in status Pay. For information, the evaluation workflow is the following: |
Created Hackerone report 1914118 for bounty 466027 : [728] [ruby]: ZipSlip/TarSlip vulnerability detection |
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
Hi @xcorail, |
Hi @gregxsunday |
Your submission is now in status Initial triage. For information, the evaluation workflow is the following: |
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
Hi @gregxsunday Thanks for your patience, we wanted to triage carefully the new results to validate your assumptions. |
Hi @xcorail, |
Query PR
github/codeql#12208
Language
Ruby
CVE(s) ID list
CWE
CWE-022
Report
This query models ZipSlip or TarSlip vulnerabilities where files are extracted from malicious archives without any validation.
I've modelled extracting the files as the source and I've modelled all 3 libraries used by Discourse:
Gem::Package::TarReader
,Zip::File
andZlib::GzipReader
.The file creation is the sink - I've used already present
FileSystemAccess
class.As the sanitizers, I classify const string comparisons or using a
File.expand_path
function which can be used to resolve the path to then safely validate it. It's like the bug was patched in Discourse.PS. You should add Ruby to the dropdown above ;)
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
I will make a video here: http://youtube.com/c/BugBountyReportsExplained
The text was updated successfully, but these errors were encountered: