github/securitylab

[Ruby]: Denial of Service due to the use of uncontrained integer/float

Closed this issue · 7 comments

Sim4n6 commented

Query PR

github/codeql#16206

Language

Ruby

CVE(s) ID list

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

Report

  1. Application-level Denial of Service due to unconstrained use of a user controlled value (integer/float) in the allocation of a resource without limitation.

  2. The source is a remote user controlled data, like /?days=31, through a vulnerable path this value without limitation reaches a ruby code that controls how many times a sync operation is repeated, like 1.upto(days) do // something. An exploit would be to issue /?days=9999999 to potentially cause an application-level denial of service remotely.

  3. I've studied the CVE-2022-23837 in sidekiq Denial of service. I have put focus on the fix commit sidekiq/sidekiq@7785ac1. I noticed the following:

dates = @start_date.downto(@start_date - @days_previous + 1).map { |date|
          date.strftime("%Y-%m-%d")
        }

The condition on the number of times the operation date.strftime() is executed can be reached by a remote user data days_previous.

  • I broadned the sink reach. The CVE fix considers limiting the pattern A.downto(B) but there are also A.upto(B) and A.times().

  • The for loop and unconditional loop appears to be of interest too, in a case like for i in 1..days.

  • There was an additional flow step added for a case like the use of default value: (days || 31).to_i.

  1. In case the incoming user data is limited, that is not a valid hit considered by the sanitizer underAValue.

  2. Other cases exist that could be considered as sanitizers A.between?(1,100) for instance.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

  • Yes
  • No

Blog post link

Sim4n6 commented

I summarize my learning via a newsletter format publication about this issue in here.

ghsecuritylab commented

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented

Thanks for the submission @Sim4n6 !

We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined that this query does not fulfill the criteria to be included into the CodeQL query suites and not eligible for a reward under the Bug Bounty program.
However, we find this query is a good candidate for the CodeQL-Community-Packs. We invite you to submit this query (Just the .ql file) as pull request to the CodeQL-Community-Packs repo (into the folder ruby/src/security/CWE-770). We think this contribution will be valuable for the community and we'd still like to offer you a $500 "thank you" reward.

Best regards and happy hacking!

Created Hackerone report 2519370 for bounty 581161 : [823] [Ruby]: Denial of Service due to the use of uncontrained integer/float

  • 👍1
ghsecuritylab commented

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Sim4n6 commented

So unfortunate, but indeed the query deserves much more efforts... Any way it got CVE-2024-35231

Regards
@Sim4n6

  • 👍1