-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] CVE-2024-27456 - Insecure File Permissions in rack-cors v2.0.1 #274
Comments
It does not seem the permissions were changed at all. Output from latest version $ ls -la ./lib/rack/cors/
total 32
drwxr-xr-x 3 ubuntu ubuntu 4096 Feb 22 08:57 .
drwxr-xr-x 3 ubuntu ubuntu 4096 Feb 22 08:57 ..
-rw-r--r-- 1 ubuntu ubuntu 4602 Feb 22 08:57 resource.rb
drwxr-xr-x 2 ubuntu ubuntu 4096 Feb 22 08:57 resources
-rw-r--r-- 1 ubuntu ubuntu 1435 Feb 22 08:57 resources.rb
-rw-r--r-- 1 ubuntu ubuntu 1424 Feb 22 08:57 result.rb
-rw-r--r-- 1 ubuntu ubuntu 88 Feb 22 08:57 version.rb |
|
@joaomarcos96 it looks like you're checking the permissions of the git repo files? What you're describing matches what I get on my local git repo. But I do see the original issue as reported for the gem file downloaded from https://rubygems.org/gems/rack-cors/versions/2.0.1 (after decompressing the |
@bdewater maybe there's something I'm missing but after decompressing
|
@bdewater doing the process manually with |
Confirmed on my local installation that 2.0.1 has different permissions, just by editing Gemfile to read
|
Since this appears to be an issue with the rubygems package that is being distributed, you can attempt to install from the github tag in the meantime which keeps the read-only permissions for other users. This will not alleviate your bundle audit alerts/blockers. Out of curiosity, what can we expect here since this appears to be a packaging issue? |
I would advise the gem maintainers to setup the new trusted publishing workflow to release this gem: https://guides.rubygems.org/trusted-publishing/ This will allow the gem to be built and published from Github Actions automatically when tagging a new version, using OpenID Connect, so the Github Action will automatically auth with Rubygems and there is no longer a need to store credentials to publish from Github. Here is an how-to : https://guides.rubygems.org/trusted-publishing/adding-a-publisher/ |
For us, downgrading to v2.0.0 made issue #259 reappear, so had to switch to |
I've pushed 2.0.2 which should fix this. |
|
Marked 2.0.2 and later versions fixed, as per cyu/rack-cors#274
Looks like we're just waiting on rubysec/ruby-advisory-db#760 to add metadata about the fixed versions. |
Thanks for all the support no this, and apologies for taking so long to turn this around. |
Description
I have identified an issue with insecure file permissions in the
rack-cors
Ruby gem, starting from version 2.0.1. Previous versions of the gem do not exhibit this problem.The files are set with world-writable permissions (
666
), which could lead to unauthorized disclosure or modification of the files, posing a security risk.rack-cors 2.0.1
:rack-cors 2.0.0
:Steps to Reproduce
rack-cors
version 2.0.1.ls -l
.You should observe that the permissions are set to
666
, indicating that they are readable and writable by all users.Expected Behavior
To prevent unauthorized access or modifications, files distributed with the gem should have secure default permissions, limiting write access to the owner (and possibly the group), e.g.,
644
or similar.Actual Behavior
The files are distributed with
666
permissions, making them world-readable and writable.Suggested Fix
Review and adjust the file permissions for the distributed files in the gem's repository and packaging process to ensure they are set securely by default.
Relevant Information
Security Risk
This issue could lead to unauthorized information disclosure, data tampering, or other security vulnerabilities depending on the deployment environment and usage of the affected files.
The text was updated successfully, but these errors were encountered: