-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Request Smuggling in ruby webrick #145
Comments
If a request has both a content-length and transfer-encoding headers, return a 400 response. This is allowed by RFC 7230 section 3.3.3.3. Fixes ruby#145
I checked and RFC 7230 allows the server to return an error in this case. I've submitted pull request #146 to fix it, can you test it and see if it works in your example? |
Hi jeremyevans, I have checked the patch you pushed, the issue is still unresolved, please check by the command below.
|
I guess you aren't using pull request #146. With pull request #146: Webrick output:
I am able to recreate the problem without pull request #146, though. |
Hi jeremyevans, Sorry, I forgot to check the required lib from the local file. I confirmed that the malicious request is not wokring for this case. Additionally, could you please assist me in applying for a CVE ID for this vulnerability, and have my name mentioned in the acknowledgments on the Ruby official security page? I would appreciate if you can help me. |
Webrick has not been part of Ruby since the release of Ruby 3.0, over three years ago. While this repository is under the ruby organization on GitHub, it is no longer considered part of Ruby. Webrick should not be used in production. It is only still maintained because there are other gems relying it, most of which do so only for testing, and only because it is a pure ruby implementation and it was shipped with Ruby in the past. I'm sorry, but I cannot assist with applying for a CVE, and as Webrick is only longer part of Ruby, an acknowledgment on Ruby's official security page would not be appropriate. |
The issue and the fix are much appreciated. What is the project's release practice for new changes? |
@hsbt, is it possible to release a new version with this security fix? |
Done https://github.com/ruby/webrick/releases/tag/v1.8.2 Someone requests to assign https://nvd.nist.gov/vuln/detail/CVE-2024-47220 from MITRE. It's disrupted our ecosystem and waste our valuable time. |
…ncy. Webrick was originally part of the pact application, but is now purely used to support testing. Also, to quote Jeremy Evans ruby/webrick#145 (comment) > Webrick has not been part of Ruby since the release of Ruby 3.0, over three years ago. While this repository is under the ruby organization on GitHub, it is no longer considered part of Ruby. > > Webrick should not be used in production. It is only still maintained because there are other gems relying it, most of which do so only for testing, and only because it is a pure ruby implementation and it was shipped with Ruby in the past. As Webrick has recently seen a number of CVEs, pulling Webrick in to other codebases unecessarily causes security related maintenance. It's still fine for testing.
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [webrick](https://github.com/ruby/webrick) | `1.8.1` -> `1.8.2` | [![age](https://developer.mend.io/api/mc/badges/age/rubygems/webrick/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/webrick/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/webrick/1.8.1/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/webrick/1.8.1/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### HTTP Request Smuggling in ruby webrick [CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) / [GHSA-6f62-3596-g6w7](https://github.com/advisories/GHSA-6f62-3596-g6w7) <details> <summary>More information</summary> #### Details An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) - [https://github.com/ruby/webrick/issues/145](https://github.com/ruby/webrick/issues/145) - [https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841](https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841) - [https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7](https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7) - [https://github.com/ruby/webrick](https://github.com/ruby/webrick) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6f62-3596-g6w7) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>ruby/webrick (webrick)</summary> ### [`v1.8.2`](https://github.com/ruby/webrick/releases/tag/v1.8.2) [Compare Source](https://github.com/ruby/webrick/compare/v1.8.1...v1.8.2) #### What's Changed - Drop commented-out line by [@​olleolleolle](https://github.com/olleolleolle) in [https://github.com/ruby/webrick/pull/108](https://github.com/ruby/webrick/pull/108) - Add Ruby 3.1 & 3.2 to CI matrix by [@​tricknotes](https://github.com/tricknotes) in [https://github.com/ruby/webrick/pull/109](https://github.com/ruby/webrick/pull/109) - Fix/redos by [@​ooooooo-q](https://github.com/ooooooo-q) in [https://github.com/ruby/webrick/pull/114](https://github.com/ruby/webrick/pull/114) - Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/120](https://github.com/ruby/webrick/pull/120) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/ruby/webrick/pull/121](https://github.com/ruby/webrick/pull/121) - Improve CI by [@​hsbt](https://github.com/hsbt) in [https://github.com/ruby/webrick/pull/123](https://github.com/ruby/webrick/pull/123) - Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by [@​KJTsanaktsidis](https://github.com/KJTsanaktsidis) in [https://github.com/ruby/webrick/pull/128](https://github.com/ruby/webrick/pull/128) - Fix bug chunk extension detection by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/125](https://github.com/ruby/webrick/pull/125) - Fix CI. by [@​ioquatix](https://github.com/ioquatix) in [https://github.com/ruby/webrick/pull/131](https://github.com/ruby/webrick/pull/131) - Merge multiple cookie headers, preserving semantic correctness. by [@​ioquatix](https://github.com/ioquatix) in [https://github.com/ruby/webrick/pull/130](https://github.com/ruby/webrick/pull/130) - Test on macos-latest by [@​byroot](https://github.com/byroot) in [https://github.com/ruby/webrick/pull/132](https://github.com/ruby/webrick/pull/132) - Require CRLF line endings in request line and headers by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/138](https://github.com/ruby/webrick/pull/138) - Prefer squigly heredocs. by [@​ioquatix](https://github.com/ioquatix) in [https://github.com/ruby/webrick/pull/143](https://github.com/ruby/webrick/pull/143) - Only strip space and horizontal tab in headers by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/141](https://github.com/ruby/webrick/pull/141) - Treat missing CRLF separator after headers as an EOFError by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/142](https://github.com/ruby/webrick/pull/142) - Return 400 response for chunked requests with unexpected data after chunk by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/136](https://github.com/ruby/webrick/pull/136) - Fix reference to URI::REGEXP::PATTERN::HOST by [@​casperisfine](https://github.com/casperisfine) in [https://github.com/ruby/webrick/pull/144](https://github.com/ruby/webrick/pull/144) - Prevent request smuggling by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/146](https://github.com/ruby/webrick/pull/146) #### New Contributors - [@​tricknotes](https://github.com/tricknotes) made their first contribution in [https://github.com/ruby/webrick/pull/109](https://github.com/ruby/webrick/pull/109) - [@​ooooooo-q](https://github.com/ooooooo-q) made their first contribution in [https://github.com/ruby/webrick/pull/114](https://github.com/ruby/webrick/pull/114) - [@​KJTsanaktsidis](https://github.com/KJTsanaktsidis) made their first contribution in [https://github.com/ruby/webrick/pull/128](https://github.com/ruby/webrick/pull/128) - [@​byroot](https://github.com/byroot) made their first contribution in [https://github.com/ruby/webrick/pull/132](https://github.com/ruby/webrick/pull/132) - [@​casperisfine](https://github.com/casperisfine) made their first contribution in [https://github.com/ruby/webrick/pull/144](https://github.com/ruby/webrick/pull/144) **Full Changelog**: ruby/webrick@v1.8.1...v1.8.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [webrick](https://github.com/ruby/webrick) | `1.8.1` -> `1.8.2` | [![age](https://developer.mend.io/api/mc/badges/age/rubygems/webrick/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/webrick/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/webrick/1.8.1/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/webrick/1.8.1/1.8.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### HTTP Request Smuggling in ruby webrick [CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) / [GHSA-6f62-3596-g6w7](https://github.com/advisories/GHSA-6f62-3596-g6w7) <details> <summary>More information</summary> #### Details An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) - [https://github.com/ruby/webrick/issues/145](https://github.com/ruby/webrick/issues/145) - [https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841](https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841) - [https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7](https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7) - [https://github.com/ruby/webrick](https://github.com/ruby/webrick) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6f62-3596-g6w7) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>ruby/webrick (webrick)</summary> ### [`v1.8.2`](https://github.com/ruby/webrick/releases/tag/v1.8.2) [Compare Source](https://github.com/ruby/webrick/compare/v1.8.1...v1.8.2) #### What's Changed - Drop commented-out line by [@​olleolleolle](https://github.com/olleolleolle) in [https://github.com/ruby/webrick/pull/108](https://github.com/ruby/webrick/pull/108) - Add Ruby 3.1 & 3.2 to CI matrix by [@​tricknotes](https://github.com/tricknotes) in [https://github.com/ruby/webrick/pull/109](https://github.com/ruby/webrick/pull/109) - Fix/redos by [@​ooooooo-q](https://github.com/ooooooo-q) in [https://github.com/ruby/webrick/pull/114](https://github.com/ruby/webrick/pull/114) - Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/120](https://github.com/ruby/webrick/pull/120) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/ruby/webrick/pull/121](https://github.com/ruby/webrick/pull/121) - Improve CI by [@​hsbt](https://github.com/hsbt) in [https://github.com/ruby/webrick/pull/123](https://github.com/ruby/webrick/pull/123) - Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by [@​KJTsanaktsidis](https://github.com/KJTsanaktsidis) in [https://github.com/ruby/webrick/pull/128](https://github.com/ruby/webrick/pull/128) - Fix bug chunk extension detection by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/125](https://github.com/ruby/webrick/pull/125) - Fix CI. by [@​ioquatix](https://github.com/ioquatix) in [https://github.com/ruby/webrick/pull/131](https://github.com/ruby/webrick/pull/131) - Merge multiple cookie headers, preserving semantic correctness. by [@​ioquatix](https://github.com/ioquatix) in [https://github.com/ruby/webrick/pull/130](https://github.com/ruby/webrick/pull/130) - Test on macos-latest by [@​byroot](https://github.com/byroot) in [https://github.com/ruby/webrick/pull/132](https://github.com/ruby/webrick/pull/132) - Require CRLF line endings in request line and headers by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/138](https://github.com/ruby/webrick/pull/138) - Prefer squigly heredocs. by [@​ioquatix](https://github.com/ioquatix) in [https://github.com/ruby/webrick/pull/143](https://github.com/ruby/webrick/pull/143) - Only strip space and horizontal tab in headers by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/141](https://github.com/ruby/webrick/pull/141) - Treat missing CRLF separator after headers as an EOFError by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/142](https://github.com/ruby/webrick/pull/142) - Return 400 response for chunked requests with unexpected data after chunk by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/136](https://github.com/ruby/webrick/pull/136) - Fix reference to URI::REGEXP::PATTERN::HOST by [@​casperisfine](https://github.com/casperisfine) in [https://github.com/ruby/webrick/pull/144](https://github.com/ruby/webrick/pull/144) - Prevent request smuggling by [@​jeremyevans](https://github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/146](https://github.com/ruby/webrick/pull/146) #### New Contributors - [@​tricknotes](https://github.com/tricknotes) made their first contribution in [https://github.com/ruby/webrick/pull/109](https://github.com/ruby/webrick/pull/109) - [@​ooooooo-q](https://github.com/ooooooo-q) made their first contribution in [https://github.com/ruby/webrick/pull/114](https://github.com/ruby/webrick/pull/114) - [@​KJTsanaktsidis](https://github.com/KJTsanaktsidis) made their first contribution in [https://github.com/ruby/webrick/pull/128](https://github.com/ruby/webrick/pull/128) - [@​byroot](https://github.com/byroot) made their first contribution in [https://github.com/ruby/webrick/pull/132](https://github.com/ruby/webrick/pull/132) - [@​casperisfine](https://github.com/casperisfine) made their first contribution in [https://github.com/ruby/webrick/pull/144](https://github.com/ruby/webrick/pull/144) **Full Changelog**: ruby/webrick@v1.8.1...v1.8.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
Hi hsbt, I requested to assign https://nvd.nist.gov/vuln/detail/CVE-2024-47220 from MITRE, since jeremyevans said it won't be applied for a CVE for me and your team has committed patch for http smuggling, please let me know if there are any problems for the process. |
I requested rejecting CVE-2024-47220 to MITRE now. Don't request CVE id without maintainer's confirmation. A lot of people's time is spent by your actions. see above reverse links. |
As far as I can tell, this isn't actually used anywhere, so we avoid a [CVE](https://github.com/guacsec/guac-docs/security/dependabot/12) by dropping it. Upstream says it's [not for use in production](ruby/webrick#145 (comment)) anyway. Signed-off-by: Ben Cotton <[email protected]>
Why should this request smuggling vulnerability not be a valid CVE entry? As an example: CVE-2020-25613 is a similar vulnerability in WEBrick and also got a Ruby news entry. |
We changed the maintenance policy at d91c985 and after that announce. |
The vulnerability happens because the server doesn't correctly handle requests with both Content-Length and Transfer-Encoding headers. This allows an attacker to sneak in an extra request (e.g., GET /admin) after the normal request (POST /user). As a result, unauthorized users can access restricted areas like /admin by POST /user.
The following Ruby WEBrick sample server was used to process HTTP requests:
hacker request
server response
Console log
The text was updated successfully, but these errors were encountered: