[ruby]: ZipSlip/TarSlip vulnerability detection

[gregxsunday]

Query PR

github/codeql#12208

Language

Ruby

CVE(s) ID list

• CVE-2022-36066

CWE

CWE-022

Report

This query models ZipSlip or TarSlip vulnerabilities where files are extracted from malicious archives without any validation.

I've modelled extracting the files as the source and I've modelled all 3 libraries used by Discourse: Gem::Package::TarReader, Zip::File and Zlib::GzipReader.

The file creation is the sink - I've used already present FileSystemAccess class.

As the sanitizers, I classify const string comparisons or using a File.expand_path function which can be used to resolve the path to then safely validate it. It's like the bug was patched in Discourse.

PS. You should add Ruby to the dropdown above ;)

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

I will make a video here: http://youtube.com/c/BugBountyReportsExplained

[ghsecuritylab]

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 1914118 for bounty 466027 : [728] [ruby]: ZipSlip/TarSlip vulnerability detection

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[gregxsunday]

Hi @xcorail,
What's the rationale behind awarding this only $1,8k? It's a previously unmodeled bug class, finds a CVE with critical severity, I've modeled 3 different libraries. What else can one do? I'm asking because, with the Ruby promotion only eligible for highs and mediums, the bounty for a high is like three times more...

[xcorail]

Hi @gregxsunday
Let me check with the team and get back to you

[ghsecuritylab]

Your submission is now in status Initial triage.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Hi @gregxsunday
The team re-evaluated your submission and found new results.
Severity and award were updated accordingly.

Thanks for your patience, we wanted to triage carefully the new results to validate your assumptions.

[gregxsunday]

Hi @xcorail,
Thank you! I appreciate this!