[Ruby]: Denial of Service due to the use of uncontrained integer/float

[Sim4n6]

Query PR

github/codeql#16206

Language

Ruby

CVE(s) ID list

• CVE-2022-23837
• In api.rb in Sidekiq, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
• The commit of the fix is : sidekiq/sidekiq@7785ac1
• The vulnerable version of the database where the vulnerable path can be identified with this query is available at: https://raw.githubusercontent.com/Sim4n6/CodeQL_dbs/main/sidekiq_vuln4.zip

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

Report

1. Application-level Denial of Service due to unconstrained use of a user controlled value (integer/float) in the allocation of a resource without limitation.

2. The source is a remote user controlled data, like /?days=31, through a vulnerable path this value without limitation reaches a ruby code that controls how many times a sync operation is repeated, like 1.upto(days) do // something. An exploit would be to issue /?days=9999999 to potentially cause an application-level denial of service remotely.

3. I've studied the CVE-2022-23837 in sidekiq Denial of service. I have put focus on the fix commit sidekiq/sidekiq@7785ac1. I noticed the following:

• The source in sidekiq for this specific case is a remote user controlled parameter which goes encompassed thourgh a function called params too. So I extended the RemoteFlowSource::Range.
• I noticed the essence of the problem comes from this line : https://github.com/sidekiq/sidekiq/blob/7785ac1399f1b28992adb56055f6acd88fd1d956/lib/sidekiq/api.rb#L182

dates = @start_date.downto(@start_date - @days_previous + 1).map { |date|
          date.strftime("%Y-%m-%d")
        }

The condition on the number of times the operation date.strftime() is executed can be reached by a remote user data days_previous.

• I broadned the sink reach. The CVE fix considers limiting the pattern A.downto(B) but there are also A.upto(B) and A.times().

• The for loop and unconditional loop appears to be of interest too, in a case like for i in 1..days.

• There was an additional flow step added for a case like the use of default value: (days || 31).to_i.

4. In case the incoming user data is limited, that is not a valid hit considered by the sanitizer underAValue.

5. Other cases exist that could be considered as sanitizers A.between?(1,100) for instance.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

• https://sim4n6.beehiiv.com/subscribe

[Sim4n6]

I summarize my learning via a newsletter format publication about this issue in here.

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Thanks for the submission @Sim4n6 !

We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined that this query does not fulfill the criteria to be included into the CodeQL query suites and not eligible for a reward under the Bug Bounty program.
However, we find this query is a good candidate for the CodeQL-Community-Packs. We invite you to submit this query (Just the .ql file) as pull request to the CodeQL-Community-Packs repo (into the folder ruby/src/security/CWE-770). We think this contribution will be valuable for the community and we'd still like to offer you a $500 "thank you" reward.

Best regards and happy hacking!

Created Hackerone report 2519370 for bounty 581161 : [823] [Ruby]: Denial of Service due to the use of uncontrained integer/float

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[Sim4n6]

So unfortunate, but indeed the query deserves much more efforts... Any way it got CVE-2024-35231

Regards
@Sim4n6