--- gem: restforce cve: 2018-3777 date: 2018-07-27 url: https://github.com/restforce/restforce/pull/392 title: Insufficient URI encoding in restforce description: | A flaw in how restforce constructs URL's may allow an attacker to inject additional parameters into Salesforce API requests. Impact ------ This flaw is only exploitable in applications that pass user input directly to restforce's select, find, describe, update, upsert, and destroy methods. Vulnerable code might look like: ```ruby client.select('SomeSalesForceObject', params[:some-id], ...) ``` In such an application, attackers could pass `0016000000MRatd/describe` as a request parameter, causing the server to make a request to a different endpoint than the server is designed to handle. Since the Salesforce REST API supports overriding HTTP methods via a request parameter, an attacker could also cause the client's `select()` method to modify data, by passing `0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`. Workarounds ------ If possible, applications should track salesforce IDs internally, rather than passing user-supplied IDs to salesforce. Such practice mitigates this vulnerability, and in general is desirable for ensuring strong access control. patched_versions: - ">= 3.0.0"