GHSA-h6m7-j4h3-9rf5

Suggest an improvement
Source
https://github.com/advisories/GHSA-h6m7-j4h3-9rf5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-h6m7-j4h3-9rf5/GHSA-h6m7-j4h3-9rf5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h6m7-j4h3-9rf5
Aliases
Published
2020-08-19T19:52:30Z
Modified
2024-02-06T18:31:07.592362Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Remote Code Execution in SyliusResourceBundle
Details

Impact

Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.

Example

sylius_grid:
    grids:
        foo:
            fields:
                bar:
                    options:
                        baz: "expr:service('sylius.repository.product').find($id)"

In this case, $id can be prepared in a way that calls other services.

If you visit /route?id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.

To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.

Patches

This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Workarounds

The fix requires adding addslashes in OptionsParser::parseOptionExpression to sanitize user input before evaluating it using the expression language.

- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;

Acknowledgements

This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!

For more information

If you have any questions or comments about this advisory: * Email us at security@sylius.com

Database specific
{
    "nvd_published_at": "2020-08-20T01:17:00Z",
    "cwe_ids": [
        "CWE-74",
        "CWE-917"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-19T19:50:49Z"
}
References

Affected packages

Packagist / sylius/resource-bundle

Package

Name
sylius/resource-bundle
Purl
pkg:composer/sylius/resource-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4.0
Fixed
1.4.7

Affected versions

v1.*

v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6

Packagist / sylius/resource-bundle

Package

Name
sylius/resource-bundle
Purl
pkg:composer/sylius/resource-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.5.0
Fixed
1.5.2

Affected versions

v1.*

v1.5.0
v1.5.1

Packagist / sylius/resource-bundle

Package

Name
sylius/resource-bundle
Purl
pkg:composer/sylius/resource-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.6.0
Fixed
1.6.4

Affected versions

v1.*

v1.6.0
v1.6.1
v1.6.2
v1.6.3

Packagist / sylius/resource-bundle

Package

Name
sylius/resource-bundle
Purl
pkg:composer/sylius/resource-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.3.14

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.1.0-RC
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.17
v1.1.18
v1.2.0-BETA
v1.2.0-RC
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.3.0-BETA
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.3.10
v1.3.11
v1.3.12
v1.3.13