From 88b7d63ff4350aa207a483f1ae77d084183a52f2 Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Sun, 7 Jan 2024 08:45:30 -0500
Subject: [PATCH 1/2] GHSA Sync: 1 brand new advisory

---
 gems/httparty/CVE-2024-22049.yml | 86 ++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 gems/httparty/CVE-2024-22049.yml

diff --git a/gems/httparty/CVE-2024-22049.yml b/gems/httparty/CVE-2024-22049.yml
new file mode 100644
index 0000000000..93a82b5bf4
--- /dev/null
+++ b/gems/httparty/CVE-2024-22049.yml
@@ -0,0 +1,86 @@
+---
+gem: httparty
+cve: 2024-22049
+ghsa: 5pq7-52mg-hr42
+url: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
+title: httparty has multipart/form-data request tampering vulnerability
+date: 2023-01-03
+description: |
+  "### Impact\nI found \"multipart/form-data request tampering vulnerability\"
+  caused by Content-Disposition \"filename\" lack of escaping in httparty.\n\n`httparty/lib/httparty/request`
+  > `body.rb` > `def generate_multipart`\n\nhttps://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\n\nBy
+  exploiting this problem, the following attacks are possible\n\n* An attack that
+  rewrites the \"name\" field according to the crafted file name, impersonating (overwriting)
+  another field.\n* Attacks that rewrite the filename extension at the time multipart/form-data
+  is generated by tampering with the filename\n\nFor example, this vulnerability can
+  be exploited to generate the following Content-Disposition.\n\n> Normal Request
+  example:\n> normal input filename: `abc.txt`\n> \n> generated normal header in multipart/form-data\n>
+  `Content-Disposition: form-data; name=\"avatar\"; filename=\"abc.txt\"`\n \n> Malicious
+  Request example\n> malicious input filename: `overwrite_name_field_and_extension.sh\";
+  name=\"foo\"; dummy=\".txt`\n> \n> generated malicious header in multipart/form-data:\n>
+  `Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\";
+  name=\"foo\"; dummy=\".txt\"`\n\nThe Abused Header has multiple name ( `avatar`
+  & `foo` ) fields and the \"filename\" has been rewritten from `*.txt` to `*.sh`
+  .\n\nThese problems can result in successful or unsuccessful attacks, depending
+  on the behavior of the parser receiving the request.\nI have confirmed that the
+  attack succeeds, at least in the following frameworks\n\n * Spring (Java)\n * Ktor
+  (Kotlin)\n * Ruby on Rails (Ruby)\n\nThe cause of this problem is the lack of escaping
+  of the `\"` (Double-Quote) character in Content-Disposition > filename.\n\nWhatWG's
+  HTML spec has an escaping requirement.\n\nhttps://html.spec.whatwg.org/#multipart-form-data\n\n>
+  For field names and filenames for file fields, the result of the encoding in the
+  previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the
+  byte sequence `0A`, 0x0D (CR) with `0D` and 0x22 (\") with `22`. The user agent
+  must not perform any other escapes.\n\n\n\n### Patches\n\nAs noted at the beginning
+  of this section, encoding must be done as described in the HTML Spec.\n\nhttps://html.spec.whatwg.org/#multipart-form-data\n\n>
+  For field names and filenames for file fields, the result of the encoding in the
+  previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the
+  byte sequence `0A`, 0x0D (CR) with `0D` and 0x22 (\") with `22`. The user agent
+  must not perform any other escapes.\n\nTherefore, it is recommended that Content-Disposition
+  be modified by either of the following\n\n> Before:\n> `Content-Disposition: attachment;filename=\"malicious.sh\";dummy=.txt`\n\n>
+  After:\n> `Content-Disposition: attachment;filename=\"22malicious.sh22;dummy=.txt\"`\n\nhttps://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\n\n```\nfile_name.gsub('\"',  '22')\n```\n\nAlso, as for `\\r`, `\\n`, URL Encode is not done, but it is not
+  newlines, so it seemed to be OK.\nHowever, since there may be omissions, it is safer
+  to URL encode these as well, if possible.\n( `\\r` to `0A` and `\\d` to `0D` )
+  \n\n### PoC\n\n#### PoC Environment\n\nOS: macOS Monterey(12.3)\nRuby ver: ruby
+  3.1.2p20 \nhttparty ver: 0.20.0\n(Python3 - HTTP Request Logging Server)\n\n###
+  PoC procedure\n\n\n(Linux or MacOS is required. \nThis is because Windows does not
+  allow file names containing `\"` (double-quote) .)\n\n1. Create Project \n```\n$
+  mkdir my-app\n$ cd my-app\n$ gem install httparty\n```\n\n2. Create malicious file\n\n```\n$
+  touch 'overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt'\n```\n\n3.
+  Generate Vuln code\n\n```\n$ vi example.rb\n```\n\n```\nrequire 'httparty'\n\nfilename
+  = 'overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt'\n\nHTTParty.post('http://localhost:12345/',\n
+  \ body: {\n    name: 'Foo Bar',\n    email: 'example@email.com',\n    avatar: File.open(filename)\n
+  \ }\n)\n```\n\n\n4. Run Logging Server\n\nI write Python code, but any method will
+  work as long as you can see the HTTP Request Body.\n(e.g. Debugger, HTTP Logging
+  Server, Packet Capture) \n\n\n$ vi logging.py\n```\nfrom http.server import HTTPServer\nfrom
+  http.server import BaseHTTPRequestHandler\n\nclass LoggingServer(BaseHTTPRequestHandler):\n\n
+  \   def do_POST(self):\n        self.send_response(200)\n        self.end_headers()\n
+  \       self.wfile.write(\"ok\".encode(\"utf-8\"))\n\n        content_length = int(self.headers['Content-Length'])\n
+  \       post_data = self.rfile.read(content_length)\n        print(\"POST request,\\nPath:
+  s\\nHeaders:\\ns\\n\\nBody:\\ns\\n\",\n                     str(self.path), str(self.headers),
+  post_data.decode('utf-8'))\n        self.wfile.write(\"POST request for {}\".format(self.path).encode('utf-8'))\n\nip
+  = '127.0.0.1'\nport = 12345\n\nserver = HTTPServer((ip, port), LoggingServer)\nserver.serve_forever()\n```\n\n$
+  python logging.py\n\n\n5. Run & Logging server\n\n```\n$ run example.rb\n```\n\nReturn
+  Request Header & Body:\n\n> User-Agent: Ruby\n> Content-Type: multipart/form-data;
+  boundary=------------------------F857UcxRc2J1zFOz\n> Connection: close\n> Host:
+  localhost:12345\n> Content-Length: 457\n> \n>  --------------------------F857UcxRc2J1zFOz\n>
+  Content-Disposition: form-data; name=\"name\"\n> \n> Foo Bar\n> --------------------------F857UcxRc2J1zFOz\n>
+  Content-Disposition: form-data; name=\"email\"\n> \n> example@email.com\n> --------------------------F857UcxRc2J1zFOz\n>
+  Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\";
+  name=\"foo\"; dummy=\".txt\"\n> Content-Type: text/plain\n> \n> abc\n> --------------------------F857UcxRc2J1zFOz--\n\n\nContent-Disposition:\n>
+  Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\";
+  name=\"foo\"; dummy=\".txt\"\n\n* name fields is duplicate (avator & foo)\n* filename
+  & extension tampering ( .txt --> .sh )\n\n\n\n\n### References\n\n1. I also include
+  a similar report that I previously reported to Firefox.\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1556711\n\n\n2.
+  I will post some examples of frameworks that did not have problems as reference.\n\nGolang\nhttps://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144\n\nSpring\nhttps://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267\n\nSymphony\nhttps://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133\n\n\n###
+  For more information\nIf you have any questions or comments about this advisory:\n*
+  Email us at [kumagoro_alice@yahoo.co.jp](mailto:kumagoro_alice@yahoo.co.jp)\n"
+cvss_v3: 6.5
+patched_versions:
+  - ">= 0.21.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-22049
+    - https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
+    - https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
+    - https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+    - https://github.com/advisories/GHSA-5pq7-52mg-hr42

From 32695aafd3c35928a3cc199f0ba2993e95eca5d1 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Sun, 7 Jan 2024 12:46:55 -0800
Subject: [PATCH 2/2] Updated the description for
 gems/httparty/CVE-2024-22049.yml

The description from the GHSA advisory contains lots of markdown formatting and is basically unreadable. Also, the description reads more like a PoC writeup than an advisory summary.
---
 gems/httparty/CVE-2024-22049.yml | 78 ++++----------------------------
 1 file changed, 10 insertions(+), 68 deletions(-)

diff --git a/gems/httparty/CVE-2024-22049.yml b/gems/httparty/CVE-2024-22049.yml
index 93a82b5bf4..26ff21678a 100644
--- a/gems/httparty/CVE-2024-22049.yml
+++ b/gems/httparty/CVE-2024-22049.yml
@@ -6,74 +6,16 @@ url: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-h
 title: httparty has multipart/form-data request tampering vulnerability
 date: 2023-01-03
 description: |
-  "### Impact\nI found \"multipart/form-data request tampering vulnerability\"
-  caused by Content-Disposition \"filename\" lack of escaping in httparty.\n\n`httparty/lib/httparty/request`
-  > `body.rb` > `def generate_multipart`\n\nhttps://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\n\nBy
-  exploiting this problem, the following attacks are possible\n\n* An attack that
-  rewrites the \"name\" field according to the crafted file name, impersonating (overwriting)
-  another field.\n* Attacks that rewrite the filename extension at the time multipart/form-data
-  is generated by tampering with the filename\n\nFor example, this vulnerability can
-  be exploited to generate the following Content-Disposition.\n\n> Normal Request
-  example:\n> normal input filename: `abc.txt`\n> \n> generated normal header in multipart/form-data\n>
-  `Content-Disposition: form-data; name=\"avatar\"; filename=\"abc.txt\"`\n \n> Malicious
-  Request example\n> malicious input filename: `overwrite_name_field_and_extension.sh\";
-  name=\"foo\"; dummy=\".txt`\n> \n> generated malicious header in multipart/form-data:\n>
-  `Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\";
-  name=\"foo\"; dummy=\".txt\"`\n\nThe Abused Header has multiple name ( `avatar`
-  & `foo` ) fields and the \"filename\" has been rewritten from `*.txt` to `*.sh`
-  .\n\nThese problems can result in successful or unsuccessful attacks, depending
-  on the behavior of the parser receiving the request.\nI have confirmed that the
-  attack succeeds, at least in the following frameworks\n\n * Spring (Java)\n * Ktor
-  (Kotlin)\n * Ruby on Rails (Ruby)\n\nThe cause of this problem is the lack of escaping
-  of the `\"` (Double-Quote) character in Content-Disposition > filename.\n\nWhatWG's
-  HTML spec has an escaping requirement.\n\nhttps://html.spec.whatwg.org/#multipart-form-data\n\n>
-  For field names and filenames for file fields, the result of the encoding in the
-  previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the
-  byte sequence `0A`, 0x0D (CR) with `0D` and 0x22 (\") with `22`. The user agent
-  must not perform any other escapes.\n\n\n\n### Patches\n\nAs noted at the beginning
-  of this section, encoding must be done as described in the HTML Spec.\n\nhttps://html.spec.whatwg.org/#multipart-form-data\n\n>
-  For field names and filenames for file fields, the result of the encoding in the
-  previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the
-  byte sequence `0A`, 0x0D (CR) with `0D` and 0x22 (\") with `22`. The user agent
-  must not perform any other escapes.\n\nTherefore, it is recommended that Content-Disposition
-  be modified by either of the following\n\n> Before:\n> `Content-Disposition: attachment;filename=\"malicious.sh\";dummy=.txt`\n\n>
-  After:\n> `Content-Disposition: attachment;filename=\"22malicious.sh22;dummy=.txt\"`\n\nhttps://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\n\n```\nfile_name.gsub('\"',  '22')\n```\n\nAlso, as for `\\r`, `\\n`, URL Encode is not done, but it is not
-  newlines, so it seemed to be OK.\nHowever, since there may be omissions, it is safer
-  to URL encode these as well, if possible.\n( `\\r` to `0A` and `\\d` to `0D` )
-  \n\n### PoC\n\n#### PoC Environment\n\nOS: macOS Monterey(12.3)\nRuby ver: ruby
-  3.1.2p20 \nhttparty ver: 0.20.0\n(Python3 - HTTP Request Logging Server)\n\n###
-  PoC procedure\n\n\n(Linux or MacOS is required. \nThis is because Windows does not
-  allow file names containing `\"` (double-quote) .)\n\n1. Create Project \n```\n$
-  mkdir my-app\n$ cd my-app\n$ gem install httparty\n```\n\n2. Create malicious file\n\n```\n$
-  touch 'overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt'\n```\n\n3.
-  Generate Vuln code\n\n```\n$ vi example.rb\n```\n\n```\nrequire 'httparty'\n\nfilename
-  = 'overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt'\n\nHTTParty.post('http://localhost:12345/',\n
-  \ body: {\n    name: 'Foo Bar',\n    email: 'example@email.com',\n    avatar: File.open(filename)\n
-  \ }\n)\n```\n\n\n4. Run Logging Server\n\nI write Python code, but any method will
-  work as long as you can see the HTTP Request Body.\n(e.g. Debugger, HTTP Logging
-  Server, Packet Capture) \n\n\n$ vi logging.py\n```\nfrom http.server import HTTPServer\nfrom
-  http.server import BaseHTTPRequestHandler\n\nclass LoggingServer(BaseHTTPRequestHandler):\n\n
-  \   def do_POST(self):\n        self.send_response(200)\n        self.end_headers()\n
-  \       self.wfile.write(\"ok\".encode(\"utf-8\"))\n\n        content_length = int(self.headers['Content-Length'])\n
-  \       post_data = self.rfile.read(content_length)\n        print(\"POST request,\\nPath:
-  s\\nHeaders:\\ns\\n\\nBody:\\ns\\n\",\n                     str(self.path), str(self.headers),
-  post_data.decode('utf-8'))\n        self.wfile.write(\"POST request for {}\".format(self.path).encode('utf-8'))\n\nip
-  = '127.0.0.1'\nport = 12345\n\nserver = HTTPServer((ip, port), LoggingServer)\nserver.serve_forever()\n```\n\n$
-  python logging.py\n\n\n5. Run & Logging server\n\n```\n$ run example.rb\n```\n\nReturn
-  Request Header & Body:\n\n> User-Agent: Ruby\n> Content-Type: multipart/form-data;
-  boundary=------------------------F857UcxRc2J1zFOz\n> Connection: close\n> Host:
-  localhost:12345\n> Content-Length: 457\n> \n>  --------------------------F857UcxRc2J1zFOz\n>
-  Content-Disposition: form-data; name=\"name\"\n> \n> Foo Bar\n> --------------------------F857UcxRc2J1zFOz\n>
-  Content-Disposition: form-data; name=\"email\"\n> \n> example@email.com\n> --------------------------F857UcxRc2J1zFOz\n>
-  Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\";
-  name=\"foo\"; dummy=\".txt\"\n> Content-Type: text/plain\n> \n> abc\n> --------------------------F857UcxRc2J1zFOz--\n\n\nContent-Disposition:\n>
-  Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\";
-  name=\"foo\"; dummy=\".txt\"\n\n* name fields is duplicate (avator & foo)\n* filename
-  & extension tampering ( .txt --> .sh )\n\n\n\n\n### References\n\n1. I also include
-  a similar report that I previously reported to Firefox.\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1556711\n\n\n2.
-  I will post some examples of frameworks that did not have problems as reference.\n\nGolang\nhttps://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144\n\nSpring\nhttps://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267\n\nSymphony\nhttps://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133\n\n\n###
-  For more information\nIf you have any questions or comments about this advisory:\n*
-  Email us at [kumagoro_alice@yahoo.co.jp](mailto:kumagoro_alice@yahoo.co.jp)\n"
+  HTTP multipart/form-data request tampering vulnerability in httparty < 0.20.0,
+  due to lack of proper escaping of double quotes within the filename attribute
+  of the Content-Disposition header. If the Content-Disposition header is set to
+  "form-data" and contains the "filename" attribute, and the "filename"
+  attribute contains a double quote followed by additional attributes, then
+  those attributes will be parsed as Content-Disposition attributes and will
+  override the Content-Disposition header's previous attributes.
+
+      Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"
+
 cvss_v3: 6.5
 patched_versions:
   - ">= 0.21.0"