Updated advisory posts against rubysec/ruby-advisory-db@6445bea

RubySec CI · RubySec CI · commit dd3905e99837 · 2016-08-11T19:19:04.000Z
diff --git a/advisories/_posts/2016-08-11-CVE-2016-6316.md b/advisories/_posts/2016-08-11-CVE-2016-6316.md
@@ -0,0 +1,34 @@
+---
+layout: advisory
+title: ! 'CVE-2016-6316 (actionview): Possible XSS Vulnerability in Action View'
+comments: false
+categories:
+- actionview
+- rails
+advisory:
+  gem: actionview
+  framework: rails
+  cve: 2016-6316
+  date: 2016-08-11
+  url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
+  title: Possible XSS Vulnerability in Action View
+  description: ! "There is a possible XSS vulnerability in Action View.  Text declared
+    as \"HTML\nsafe\" will not have quotes escaped when used as attribute values in
+    tag\nhelpers.\n\nImpact\n------\n\nText declared as \"HTML safe\" when passed
+    as an attribute value to a tag helper\nwill not have quotes escaped which can
+    lead to an XSS attack.  Impacted code\nlooks something like this:\n\n```ruby\ncontent_tag(:div,
+    \"hi\", title: user_input.html_safe)\n```\n\nSome helpers like the `sanitize`
+    helper will automatically mark strings as\n\"HTML safe\", so impacted code could
+    also look something like this:\n\n```ruby\ncontent_tag(:div, \"hi\", title: sanitize(user_input))\n```\n\nAll
+    users running an affected release should either upgrade or use one of the\nworkarounds
+    immediately.\n\nWorkarounds\n-----------\nYou can work around this issue by either
+    *not* marking arbitrary user input as\nsafe, or by manually escaping quotes like
+    this:\n\n```ruby\ndef escape_quotes(value)\n  value.gsub(/\"/, '&quot;'.freeze)\nend\n\ncontent_tag(:div,
+    \"hi\", title: escape_quotes(sanitize(user_input)))\n```\n"
+  unaffected_versions:
+  - < 3.0.0
+  patched_versions:
+  - ~> 3.2.22.3
+  - ~> 4.2.7.1
+  - ! '>= 5.0.0.1'
+---
diff --git a/advisories/_posts/2016-08-11-CVE-2016-6317.md b/advisories/_posts/2016-08-11-CVE-2016-6317.md
@@ -0,0 +1,47 @@
+---
+layout: advisory
+title: ! 'CVE-2016-6317 (activerecord): Unsafe Query Generation Risk in Active Record'
+comments: false
+categories:
+- activerecord
+- rails
+advisory:
+  gem: activerecord
+  framework: rails
+  cve: 2016-6317
+  date: 2016-08-11
+  url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
+  title: Unsafe Query Generation Risk in Active Record
+  description: ! "There is a vulnerability when Active Record is used in conjunction
+    with JSON\nparameter parsing. This vulnerability is similar to CVE-2012-2660,\nCVE-2012-2694
+    and CVE-2013-0155.\n\nImpact\n------\n\nDue to the way Active Record interprets
+    parameters in combination with the way\nthat JSON parameters are parsed, it is
+    possible for an attacker to issue\nunexpected database queries with \"IS NULL\"
+    or empty where clauses.  This issue\ndoes *not* let an attacker insert arbitrary
+    values into an SQL query, however\nthey can cause the query to check for NULL
+    or eliminate a WHERE clause when\nmost users wouldn't expect it.\n\nFor example,
+    a system has password reset with token functionality:\n\n```ruby\n    unless params[:token].nil?\n
+    \     user = User.find_by_token(params[:token])\n      user.reset_password!\n
+    \   end\n```\n\nAn attacker can craft a request such that `params[:token]` will
+    return\n`[nil]`.  The `[nil]` value will bypass the test for nil, but will still
+    add\nan \"IN ('xyz', NULL)\" clause to the SQL query.\n\nSimilarly, an attacker
+    can craft a request such that `params[:token]` will\nreturn an empty hash.  An
+    empty hash will eliminate the WHERE clause of the\nquery, but can bypass the `nil?`
+    check.\n\nNote that this impacts not only dynamic finders (`find_by_*`) but also\nrelations
+    (`User.where(:name => params[:name])`).\n\nAll users running an affected release
+    should either upgrade or use one of the\nwork arounds immediately. All users running
+    an affected release should upgrade\nimmediately. Please note, this vulnerability
+    is a variant of CVE-2012-2660,\nCVE-2012-2694, and CVE-2013-0155.  Even if you
+    upgraded to address those\nissues, you must take action again.\n\nIf this chance
+    in behavior impacts your application, you can manually decode\nthe original values
+    from the request like so:\n\n    `ActiveSupport::JSON.decode(request.body)`\n\nWorkarounds\n-----------\nThis
+    problem can be mitigated by casting the parameter to a string before\npassing
+    it to Active Record.  For example:\n\n  ```ruby\n    unless params[:token].nil?
+    || params[:token].to_s.empty?\n      user = User.find_by_token(params[:token].to_s)\n
+    \     user.reset_password!\n    end\n  ```\n"
+  unaffected_versions:
+  - < 4.2.0
+  - ! '>= 5.0.0'
+  patched_versions:
+  - ~> 4.2.7.1
+---
