Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: restforce
date: 2018-07-27
url: https://github.com/restforce/restforce/pull/392
cve: 2018-3777
title: Insufficient URI encoding in restforce
description: |
  A flaw in how restforce constructs URL's may allow an attacker to inject
  additional parameters into Salesforce API requests.

  Impact
  ------
  This flaw is only exploitable in applications that pass user input directly
  to restforce's select, find, describe, update, upsert, and destroy methods.
  Vulnerable code might look like:

  ```ruby
  client.select('SomeSalesForceObject', params[:some-id],
     ...)
  ```

  In such an application, attackers could pass `0016000000MRatd/describe`
  as a request parameter, causing the server to make a request to a different
  endpoint than the server is designed to handle. Since the Salesforce REST
  API supports overriding HTTP methods via a request parameter, an attacker
  could also cause the client's `select()` method to modify data, by passing
  `0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`.

  Workarounds
  ------
  If possible, applications should track salesforce IDs internally, rather than
  passing user-supplied IDs to salesforce. Such practice mitigates this
  vulnerability, and in general is desirable for ensuring strong access control.
patched_versions:
- ">= 3.0.0"