You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Snyk Open Source",
"rules": [
{
"id": "SNYK-RUBY-RACK-1061917",
"shortDescription": {
"text": "Medium severity - Web Cache Poisoning vulnerability in rack"
},
"fullDescription": {
"text": "rack@2.2.6.4"
},
"help": {
"text": "",
"markdown": "* Package Manager: rubygems\n* Vulnerable module: rack\n* Introduced through: workspace@, oauth2@1.4.1 and others\n### Detailed paths\nIntroduced through: workspace@* › oauth2@1.4.1 › rack@2.2.6.4\n# Overview\nrack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.\nAffected versions of this package are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.\r\n\r\n## PoC\r\n\r\n\r\nGET /?q=legitimate&utm_content=1;q=malicious HTTP/1.1\r\n\r\nHost: somesite.com\r\n\r\nUpgrade-Insecure-Requests: 1\t\t\r\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36\r\n\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag e/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate\t\t\t\r\n\r\nAccept-Language: en-US,en;q=0.9 Connection: close\t\t\t\r\n\r\n\r\nThe server sees 3 parameters here: q, utm_content and then q again. On the other hand, the proxy considers this full string: 1;q=malicious as the value of utm_content, which is why the cache key would only contain somesite.com/?q=legitimate.\n# Remediation\nUpgrade rack to version 3.0.0.beta1 or higher.\n# References\n- GitHub Issue\n- GitHub PR\n- Web Cache Poisoning - Snyk Research Blog\n"
},
"properties": {
"tags": [
"security",
"CWE-444",
"rubygems"
]
}
},
{
"id": "SNYK-RUBY-RAKE-552000",
"shortDescription": {
"text": "High severity - Arbitrary Code Injection vulnerability in rake"
},
"fullDescription": {
"text": "(CVE-2020-8130) rake@11.1.2"
},
"help": {
"text": "",
"markdown": "* Package Manager: rubygems\n* Vulnerable module: rake\n* Introduced through: workspace@* and rake@11.1.2\n### Detailed paths\n* Introduced through: workspace@* › rake@11.1.2\n# Overview\nrake is a Make-like program implemented in Ruby.\nAffected versions of this package are vulnerable to Arbitrary Code Injection in Rake::FileList when supplying a filename that begins with the pipe character |.\r\n\r\n# PoC by Katsuhiko Yoshida\r\n\r\n\r\n% ls -1\r\nGemfile\r\nGemfile.lock\r\npoc_rake.rb\r\nvendor\r\n| touch evil.txt\r\n% bundle exec ruby poc_rake.rb\r\n[\"poc_rake.rb\", \"Gemfile\", \"Gemfile.lock\", \"| touch evil.txt\", \"vendor\"]\r\npoc_rake.rb:6:list.egrep(/something/)\r\nError while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor\r\n% ls -1\r\nGemfile\r\nGemfile.lock\r\nevil.txt\r\npoc_rake.rb\r\nvendor\r\n| touch evil.txt\r\n\n# Remediation\nUpgrade rake to version 12.3.3 or higher.\n# References\n- HackerOne Report\n"
},
"properties": {
"tags": [
"security",
"CWE-94",
"rubygems"
]
}
}
]
}
},
"results": [
{
"ruleId": "SNYK-RUBY-RACK-1061917",
"level": "warning",
"message": {
"text": "This file introduces a vulnerable rack package with a medium severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Gemfile"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "SNYK-RUBY-RAKE-552000",
"level": "error",
"message": {
"text": "This file introduces a vulnerable rake package with a high severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Gemfile"
},
"region": {
"startLine": 1
}
}
}
]
}
]
}
]
}
Tunnel 1a5b-2405-201-20-caf-5574-63e3-2550-57dd.in.ngrok.io not found (ERR_NGROK_3200)
<script id="script" src="https://cdn.ngrok.com/static/js/error.js" type="text/javascript"></script>
{
"id": "SNYK-RUBY-RACK-1061917",
"moduleName": "rack",
"title": "Web Cache Poisoning",
"description": "## Overview\nrack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.\nAffected versions of this package are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.\r\n\r\n### PoC\r\n\r\n\r\nGET /?q=legitimate&utm_content=1;q=malicious HTTP/1.1\r\n\r\nHost: somesite.com\r\n\r\nUpgrade-Insecure-Requests: 1\t\t\r\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36\r\n\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag e/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate\t\t\t\r\n\r\nAccept-Language: en-US,en;q=0.9 Connection: close\t\t\t\r\n\r\n\r\nThe server sees 3 parameters here: q, utm_content and then q again. On the other hand, the proxy considers this full string: 1;q=malicious as the value of utm_content, which is why the cache key would only contain somesite.com/?q=legitimate.\n## Remediation\nUpgrade rack to version 3.0.0.beta1 or higher.\n## References\n- GitHub Issue\n- GitHub PR\n- Web Cache Poisoning - Snyk Research Blog\n",
"severity": "medium",
"cvssScore": 5.9,
"from": [
"workspace@",
"oauth2@1.4.1",
"rack@2.2.6.4"
],
"Url": "rack/rack#1732",
"fixedIn": [
"3.0.0.beta1"
]
}
{
"id": "SNYK-RUBY-RAKE-552000",
"moduleName": "rake",
"title": "Arbitrary Code Injection",
"description": "## Overview\nrake is a Make-like program implemented in Ruby.\nAffected versions of this package are vulnerable to Arbitrary Code Injection in Rake::FileList when supplying a filename that begins with the pipe character |.\r\n\r\n## PoC by Katsuhiko Yoshida\r\n\r\n\r\n% ls -1\r\nGemfile\r\nGemfile.lock\r\npoc_rake.rb\r\nvendor\r\n| touch evil.txt\r\n% bundle exec ruby poc_rake.rb\r\n[\"poc_rake.rb\", \"Gemfile\", \"Gemfile.lock\", \"| touch evil.txt\", \"vendor\"]\r\npoc_rake.rb:6:list.egrep(/something/)\r\nError while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor\r\n% ls -1\r\nGemfile\r\nGemfile.lock\r\nevil.txt\r\npoc_rake.rb\r\nvendor\r\n| touch evil.txt\r\n\n## Remediation\nUpgrade rake to version 12.3.3 or higher.\n## References\n- HackerOne Report\n",
"severity": "high",
"cvssScore": 7.3,
"from": [
"workspace@",
"rake@11.1.2"
],
"Url": "https://hackerone.com/reports/651518",
"fixedIn": [
"12.3.3"
]
}
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
testpr