[Ruby]: DOS through Decompression

[am0o0]

Query PR

github/codeql#13556

Language

Ruby

CVE(s) ID list

• CVE-2023-22898

CWE

No response

Report

Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks. Attackers can compress a huge file which created by repeated similar byte and convert it to a small compressed file.
I added the only sanitizer that I think is available which is checking the size of each uncompressed zip entry.
Also I added some instance of some really popular additional taint steps which I think it is good to be added as global steps.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[am0o0]

@Kwstubbs I already made the DB for gitlab vulnerable version and also I made a github repo for vulnerable version but the problem is I can't get results because of performance ( I can't run even a simple api graph node query). but you can read this related issue which can be found from this original CVE advisory link that what is the vulnerable snippet so we can test only that part of code.

[am0o0]

@Kwstubbs it seems that the problem was from my local ruby codeql DB, the github repo of mine have a good DB which you can run MRVA or download it and run tests on it!

[p-]

Hey @amammad 👋
Could you please remove the local CodeQL sources for the zip bomb query in the PR (and only keep the remote flow sources)?
Testing the query with local sources was a bit noisy, which does not fit well into a query suite where you don't want to have too many FP's. (However, for security research/testing you would want those results of course as well 😉 )

Thanks

[Kwstubbs]

@amammad
Please do this for DOS queries of all languages. Thank you.

[am0o0]

@p- @Kwstubbs I'll remove these local steps.

PS: I'm wondering about the - in the usernames :))

[p-]

Hey @amammad 👋

I'll remove these local steps.

I saw you likely did that in a commit on the 11th of October - is this query now ready for another test run?

[am0o0]

Hi @p- Yes.
This query is ready for another test run.

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2529365 for bounty 583171 : [776] [Ruby]: DOS through Decompression

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed