-
-
Notifications
You must be signed in to change notification settings - Fork 221
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GHSA SYNC: 1 brand new advisory (#766)
--------- Co-authored-by: Postmodern <[email protected]>
- Loading branch information
1 parent
5dd464e
commit 81353c4
Showing
1 changed file
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| --- | ||
| gem: turbo_boost-commands | ||
| cve: 2024-28181 | ||
| ghsa: mp76-7w5v-pr75 | ||
| url: https://github.com/hopsoft/turbo_boost-commands/security/advisories/GHSA-mp76-7w5v-pr75 | ||
| title: TurboBoost Commands vulnerable to arbitrary method invocation | ||
| date: 2024-03-15 | ||
| description: | | ||
| ### Impact | ||
| TurboBoost Commands has existing protections in place to | ||
| guarantee that only public methods on Command classes can be invoked; however, the | ||
| existing checks aren't as robust as they should be. It's possible for a sophisticated | ||
| attacker to invoke more methods than should be permitted depending on the the strictness | ||
| of authorization checks that individual applications enforce. Being able to call | ||
| some of these methods can have security implications. | ||
| #### Details | ||
| Commands verify that the class must be a `Command` and that the method requested is | ||
| defined as a public method; however, this isn't robust enough to guard against all | ||
| unwanted code execution. The library should more strictly enforce which methods are | ||
| considered safe before allowing them to be executed. | ||
| ### Patches | ||
| Patched in the following versions. | ||
| - 0.1.3 | ||
| - [NPM Package](https://www.npmjs.com/package/@turbo-boost/commands/v/0.1.3) | ||
| - [Ruby GEM](https://rubygems.org/gems/turbo_boost-commands/versions/0.1.3) | ||
| - 0.2.2 | ||
| - [NPM Package](https://www.npmjs.com/package/@turbo-boost/commands/v/0.2.2) | ||
| - [Ruby GEM](https://rubygems.org/gems/turbo_boost-commands/versions/0.2.2) | ||
| ### Workarounds | ||
| You can add this guard to mitigate the issue if running an unpatched | ||
| version of the library. | ||
| ```ruby | ||
| class ApplicationCommand < TurboBoost::Commands::Command | ||
| before_command do | ||
| method_name = params[:name].include?(\"#\") ? params[:name].split(\"#\").last : :perform | ||
| ancestors = self.class.ancestors[0..self.class.ancestors.index(TurboBoost::Commands::Command) - 1] | ||
| allowed = ancestors.any? { |a| a.public_instance_methods(false).any? method_name.to_sym } | ||
| throw :abort unless allowed # ← blocks invocation | ||
| # raise \"Invalid Command\" unless allowed # ← blocks invocation | ||
| end | ||
| end | ||
| ``` | ||
| cvss_v3: 8.1 | ||
| patched_versions: | ||
| - "~> 0.1.3" | ||
| - ">= 0.2.2" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-28181 | ||
| - https://github.com/hopsoft/turbo_boost-commands/security/advisories/GHSA-mp76-7w5v-pr75 | ||
| - https://github.com/hopsoft/turbo_boost-commands/commit/337cda7d9222f1f449905454a7374222017a7477 | ||
| - https://github.com/hopsoft/turbo_boost-commands/commit/88af4fc0ac39cc1799d16c49fab52f6dfbcec9ba | ||
| - https://github.com/advisories/GHSA-mp76-7w5v-pr75 |