ruby.rails.security.audit.rails-check-page-caching-gem.rails-check-page-caching-gem

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

All versions below 1.2.1 of the 'actionpack_page-caching' gem are vulnerable to arbitrary file write and remote code execution (CVE-2020-8159). Update to version 1.2.1 or greater or remove calls to 'caches_page'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: rails-check-page-caching-gem
    pattern-either:
      - patterns:
          - pattern: gem 'actionpack_page-caching', '1.$MIN'
          - metavariable-comparison:
              metavariable: $MIN
              comparison: $MIN <= 2
      - patterns:
          - pattern: gem 'actionpack_page-caching', '1.$MIN.$PATCH'
          - metavariable-comparison:
              metavariable: $MIN
              comparison: $MIN < 2
      - patterns:
          - patterns:
              - pattern: gem 'actionpack_page-caching', '1.2.$PATCH'
              - metavariable-comparison:
                  metavariable: $PATCH
                  comparison: $PATCH < 1
      - pattern-either:
          - pattern: gem 'actionpack_page-caching', '~> 0.$MIN'
          - pattern: gem 'actionpack_page-caching', '~> 0.$MIN.$PATCH'
          - patterns:
              - pattern-either:
                  - pattern: gem 'actionpack_page-caching', '~> 1.$MIN'
                  - pattern: gem 'actionpack_page-caching', '~> 1.$MIN.$PATCH'
              - metavariable-comparison:
                  metavariable: $MIN
                  comparison: $MIN < 2
    message: All versions below 1.2.1 of the 'actionpack_page-caching' gem are
      vulnerable to arbitrary file write and remote code execution
      (CVE-2020-8159). Update to version 1.2.1 or greater or remove calls to
      'caches_page'.
    languages:
      - generic
    severity: WARNING
    paths:
      include:
        - "*Gemfile"
        - gems.rb
    metadata:
      cwe:
        - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory
          ('Path Traversal')"
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      technology:
        - rails
      category: security
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_page_caching_cve.rb
      references:
        - https://nvd.nist.gov/vuln/detail/CVE-2020-8159
        - https://groups.google.com/g/rubyonrails-security/c/CFRVkEytdP8
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

rails-check-page-caching-gem.Gemfile

source 'https://rubygems.org'

# ok
gem 'actionpack_page-caching', '1.2.1'

# ok
gem 'actionpack_page-caching', '2.0.0'

# ok
gem 'actionpack_page-caching', '~> 1.2'

# ruleid: rails-check-page-caching-gem 
gem 'actionpack_page-caching', '1.2.0'

# ruleid: rails-check-page-caching-gem 
gem 'actionpack_page-caching', '1.0.99'

# ruleid: rails-check-page-caching-gem 
gem 'actionpack_page-caching', '~> 0.99'

# ruleid: rails-check-page-caching-gem 
gem 'actionpack_page-caching', '~> 1.1'

# ruleid: rails-check-page-caching-gem 
gem 'actionpack_page-caching', '~> 1.1.2'