Potential code execution in Packages::Rpm::RepositoryMetadata::BuildRepomdXml
Summary
In Packages::Rpm::RepositoryMetadata::BuildRepomdXml we're making use of public_send
to build some XML structure for package metadata:
def build_file_info(info, xml)
info.each do |key, attributes|
value = attributes.delete(:value)
xml.public_send(key, value, attributes) # rubocop:disable GitlabSecurity/PublicSend
end
end
It's likely that this data is user controlled and comes from tags etc. within an RPM package. Therefore we must assume malicious input ending up in the key
, value
and attribute
parameters to public_send
. Ultimately this can result in arbitrary code execution. I poked around with this for a bit and couldn't find an easy way to exploit this, still I strongly suggest getting rid of the public_send
method here.
Steps to reproduce
In the rails console the following snippet can be used to demonstrate code injection using puts
:
data = {filelist: { '__send__': {value: "puts", lol: "hacked"}}}
x=Packages::Rpm::RepositoryMetadata::BuildRepomdXml.new data
print x.execute
We can see puts
being called in this screenshot:
Possible fixes
Check the input for expected keys.