CVE-2024-28181

Name of the Vulnerable Software and Affected Versions turbo boost-commands versions prior to 0.1.3 turbo boost-commands versions prior to 0.2.2

Description The turbo boost-commands library has insufficient protections in place to guarantee that only public methods on Command classes can be invoked. A sophisticated attacker may be able to invoke more methods than permitted, depending on the authorization checks enforced by individual applications. This can lead to unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. The issue stems from inadequate verification of the requested method, only confirming that the class is a Command and the method is publicly defined, which is not sufficient to prevent all unwanted code execution.

Recommendations Upgrade to turbo boost-commands version 0.1.3 or later. Upgrade to turbo boost-commands version 0.2.2 or later. If upgrading is not possible, implement the provided workaround by adding the following guard to your application:

class ApplicationCommand < TurboBoost::Commands::Command
 before command do
  method name = params[:name].include?("#") ? params[:name].split("#").last : :perform
  ancestors = self.class.ancestors[0..self.class.ancestors.index(TurboBoost::Commands::Command) - 1]
  allowed = ancestors.any? { |a| a.public instance methods(false).any? method name.to sym }
  throw :abort unless allowed
 end
end