GHSA SYNC: 1 brand new advisory (#767)

jasnow · postmodern · web-flow · commit 359a9f2a7fde · 2024-03-17T20:40:47.000-07:00
---------

Co-authored-by: Postmodern &lt;postmodern.mod3@gmail.com&gt;
diff --git a/gems/stimulus_reflex/CVE-2024-28121.yml b/gems/stimulus_reflex/CVE-2024-28121.yml
@@ -0,0 +1,93 @@
+---
+gem: stimulus_reflex
+cve: 2024-28121
+ghsa: f78j-4w3g-4q65
+url: https://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65
+title: StimulusReflex arbitrary method call
+date: 2024-03-12
+description: |
+  ### Summary
+
+  More methods than expected can be called on reflex instances.
+  Being able to call some of them has security implications.
+
+  ### Details
+
+  To invoke a reflex a websocket message of the following shape is sent:
+
+  ```json
+  {
+    "target": "[class_name]#[method_name]",
+    "args": []
+  }
+  ```
+
+  The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments [ref]:
+
+  [ref]: https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83
+
+  ```ruby
+  method = reflex.method method_name
+  required_params = method.parameters.select { |(kind, _)| kind == :req }
+  optional_params = method.parameters.select { |(kind, _)| kind == :opt }
+
+  if arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size
+    reflex.public_send(method_name, *arguments)
+  end
+  ```
+
+  This is problematic as `reflex.method(method_name)` can be more methods than those explicitly specified by the developer in their reflex class. A good example is the `instance_variable_set` method.
+
+  ```json
+  {
+    "target": "StimulusReflex::Reflex#render_collection",
+    "args": [
+      { "inline":  "<% system('[command here]') %>" }
+    ]
+  }
+  ```
+
+  ### Patches
+
+  Patches are available on [RubyGems] and on [NPM].
+
+  [RubyGems]: https://rubygems.org/gems/stimulus_reflex
+  [NPM]: https://npmjs.org/package/stimulus_reflex
+
+  The patched versions are:
+  - [`3.4.2`](https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2)
+  - [`3.5.0.rc4`](https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4)
+
+  ### Workaround
+
+  You can add this guard to mitigate the issue if running an unpatched
+  version of the library.
+  1.) Make sure all your reflexes inherit from the `ApplicationReflex`
+      class
+  2.) Add this `before_reflex` callback to your `app/reflexes/application_reflex.rb` file:
+
+  ```ruby
+  class ApplicationReflex < StimulusReflex::Reflex
+    before_reflex do
+      ancestors = self.class.ancestors[0..self.class.ancestors.index(StimulusReflex::Reflex) - 1]
+      allowed = ancestors.any? { |a| a.public_instance_methods(false).any?(method_name.to_sym) }
+
+      raise ArgumentError.new("Reflex method '#{method_name}' is not defined on class '#{self.class.name}' or on any of its ancestors") if !allowed
+    end
+  end
+  ```
+cvss_v3: 8.8
+patched_versions:
+  - "~> 3.4.2"
+  - ">= 3.5.0.rc4"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-28121
+    - http://seclists.org/fulldisclosure/2024/Mar/16
+    - https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2
+    - https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4
+    - https://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65
+    - https://github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7f
+    - https://github.com/stimulusreflex/stimulus_reflex/commit/d823d7348f9ca42eb6df25574f11974e4f5bc88c
+    - https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83
+    - https://github.com/advisories/GHSA-f78j-4w3g-4q65
