Sha256: feda961668d765c91bd082f90e141db96b27b888be8d673d557088eb0c8cebb1
Contents?: true
Size: 1.29 KB
Versions: 3
Compression:
Stored size: 1.29 KB
Contents
---
gem: restforce
cve: 2018-3777
date: 2018-07-27
url: https://github.com/restforce/restforce/pull/392
title: Insufficient URI encoding in restforce
description: |
A flaw in how restforce constructs URL's may allow an attacker to inject
additional parameters into Salesforce API requests.
Impact
------
This flaw is only exploitable in applications that pass user input directly
to restforce's select, find, describe, update, upsert, and destroy methods.
Vulnerable code might look like:
```ruby
client.select('SomeSalesForceObject', params[:some-id],
...)
```
In such an application, attackers could pass `0016000000MRatd/describe`
as a request parameter, causing the server to make a request to a different
endpoint than the server is designed to handle. Since the Salesforce REST
API supports overriding HTTP methods via a request parameter, an attacker
could also cause the client's `select()` method to modify data, by passing
`0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`.
Workarounds
------
If possible, applications should track salesforce IDs internally, rather than
passing user-supplied IDs to salesforce. Such practice mitigates this
vulnerability, and in general is desirable for ensuring strong access control.
patched_versions:
- ">= 3.0.0"
Version data entries
3 entries across 3 versions & 2 rubygems