Added rspec check for embedded double newlines (closes #788)

* Added rspec check for embedded double newlines. * Fixed two other advisories with embedded double newlines. --------- Co-authored-by: Postmodern <[email protected]>
rubysec · Jun 21, 2024 · b1bb1f7 · b1bb1f7
1 parent 0049582
commit b1bb1f7
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 18 deletions.
diff --git a/gems/avo/CVE-2023-34102.yml b/gems/avo/CVE-2023-34102.yml
@@ -8,7 +8,7 @@ date: 2023-06-06
 description: |
   ### Summary
 
-  "The polymorphic field type stores the classes to operate on when updating
+  The polymorphic field type stores the classes to operate on when updating
   a record with user input, and does not validate them in the back end.
   This can lead to unexpected behavior, remote code execution, or
   application crashes when viewing a manipulated record.
@@ -29,20 +29,38 @@ description: |
 
   ### PoC
 
-  ![image](https://user-images.githubusercontent.com/26464774/243437854-933d94c8-4ae0-43fe-b2da-35b103e28796.png)\n_In the test scenario we choose the demo app and the review resource which has a polymorphic
-  reviewable field._![image](https://user-images.githubusercontent.com/26464774/243437954-2d947c6d-4e97-4e91-a442-405e553dd047.png)\n_Intercepting
-  the request and switching the review[reviewable_type] from “Fish”
-  to “File” which is a real class inside Rails_![image](https://user-images.githubusercontent.com/26464774/243438031-109de6d0-9370-4318-b18e-c5bcea61cf54.png)\n_Corrupting
-  the database with unusable classes will cause a crash at the
-  application while viewing the new record or the index
-  view (partial DoS)_\n\n![image](https://user-images.githubusercontent.com/26464774/243438104-80df5aae-86de-40fc-870d-689a03cae389.png)\n_Manual
-  delete the corrupted resource in order to recover the applications functionality_\n\n![image](https://user-images.githubusercontent.com/26464774/243438182-1e7eef54-73ba-47d0-b5df-4bad14859af3.png)\n_Of
-  course it is possible to use other class names or namespaces. The
+  ![image](https://user-images.githubusercontent.com/26464774/243437854-933d94c8-4ae0-43fe-b2da-35b103e28796.png)
+
+  In the test scenario we choose the demo app and the review
+  resource which has a polymorphic reviewable field.
+
+  ![image](https://user-images.githubusercontent.com/26464774/243437954-2d947c6d-4e97-4e91-a442-405e553dd047.png)
+
+  Intercepting the request and switching the review[reviewable_type]
+  from “Fish” to “File” which is a real class inside Rails
+
+  ![image](https://user-images.githubusercontent.com/26464774/243438031-109de6d0-9370-4318-b18e-c5bcea61cf54.png)
+
+  Corrupting the database with unusable classes will cause a crash
+  at the application while viewing the new record or the index
+  view (partial DoS)
+
+  ![image](https://user-images.githubusercontent.com/26464774/243438104-80df5aae-86de-40fc-870d-689a03cae389.png)
+
+  Manual delete the corrupted resource in order to recover the
+  applications functionality
+
+  ![image](https://user-images.githubusercontent.com/26464774/243438182-1e7eef54-73ba-47d0-b5df-4bad14859af3.png)
+
+  Of course it is possible to use other class names or namespaces. The
   local development environment displays the backend error message
   when visiting a corrupted record. Avo is trying to apply a scope to
-  this class that does not exist._\n\n![image](https://user-images.githubusercontent.com/26464774/243438257-dbb59153-58a8-4421-b796-f2a0f2c20083.png)\n_Specifying
-  an invalid class name in the parameter will cause the application
-  to crash again while trying constanize the provided string_
+  this class that does not exist.
+
+  ![image](https://user-images.githubusercontent.com/26464774/243438257-dbb59153-58a8-4421-b796-f2a0f2c20083.png)
+
+  Specifying an invalid class name in the parameter will cause the
+  application to crash again while trying constanize the provided string
 
   ### Impact
 
@@ -57,7 +75,7 @@ description: |
   when defining classes for records. In this particular case, Avo can
   evaluate the options list given for the polymorphic field and only allow
   strings from that list. With this white-list approach, an attacker
-  cannot supply unintended classes."
+  cannot supply unintended classes.
 cvss_v3: 8.3
 patched_versions:
   - ">= 2.33.3"

diff --git a/gems/decidim/CVE-2023-47634.yml b/gems/decidim/CVE-2023-47634.yml
@@ -6,10 +6,17 @@ url: https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2
 title: Race condition in Endorsements
 date: 2024-02-20
 description: |
-  "### Impact\n\nA race condition in the endorsement of resources (for
-  instance, a proposal) allows a user to make more than once endorsement.\n\nTo exploit
-  this vulnerability, the request to set an endorsement must be sent several times
-  in parallel.\n \n### Workarounds\n\nDisable the Endorsement feature in the components. "
+  ### Impact
+
+  A race condition in the endorsement of resources (for instance,
+  a proposal) allows a user to make more than once endorsement.
+
+  To exploit this vulnerability, the request to set an
+  endorsement must be sent several times in parallel.
+
+  ### Workarounds
+
+  Disable the Endorsement feature in the components.
 cvss_v3: 3.1
 unaffected_versions:
   - "< 0.10.0"

diff --git a/spec/advisory_example.rb b/spec/advisory_example.rb
@@ -136,6 +136,10 @@
         expect(subject).to include("\n")
       end
 
+      it "must not have double embbedded newlines" do
+        expect(subject).to_not include("\\n\\n")
+      end
+
       it { expect(subject).to be_kind_of(String) }
       it { expect(subject).not_to be_empty }
     end