Jan Rusnacko of the Red Hat Product Security Team reports:
CFME contains an unsafe invocation of send method on user-supplied
argument. This issue is reported by Brakeman as problem in ServiceController
method x_button:
vmdb/app/controllers/service_controller.rb
16 def x_button
17 @explorer = true
18 model, action = pressed2model_action(params[:pressed])
19 @sb[:action] = action
20 if ["ownership","tag"].include?(action)
21 self.send(params[:pressed],"Service")
22 else
23 self.send(params[:pressed])
24 end
Assuming pressed2model_action sanitizes user input, this look like
false-positive. However, pressed2model_action does not do sanitization, and only
splits string on underscore:
def pressed2model_action(pressed)
pressed =~ /^(vm_vdi|miq_template)_(.*)$/ ? [$1, $2] : pressed.split('_', 2)
end
If action parsed from user-supplied input is neither "ownership", nor "tag",
else branch is executed and client can execute arbitrary method on controller,
including private.
Jan Rusnacko of the Red Hat Product Security Team reports: CFME contains an unsafe invocation of send method on user-supplied argument. This issue is reported by Brakeman as problem in ServiceController method x_button: vmdb/app/controllers/service_controller.rb 16 def x_button 17 @explorer = true 18 model, action = pressed2model_action(params[:pressed]) 19 @sb[:action] = action 20 if ["ownership","tag"].include?(action) 21 self.send(params[:pressed],"Service") 22 else 23 self.send(params[:pressed]) 24 end Assuming pressed2model_action sanitizes user input, this look like false-positive. However, pressed2model_action does not do sanitization, and only splits string on underscore: def pressed2model_action(pressed) pressed =~ /^(vm_vdi|miq_template)_(.*)$/ ? [$1, $2] : pressed.split('_', 2) end If action parsed from user-supplied input is neither "ownership", nor "tag", else branch is executed and client can execute arbitrary method on controller, including private.