Merge pull request #3392 from beefproject/red/dev

Remediate sinatra vulnerability
2025-09-10 08:13:01 +10:00
parent d05ff08dbc cdb9ceda2a
commit bd8ad1fe1e
5 changed files with 36 additions and 21 deletions
--- a/6
+++ b/6
@@ -9,9 +9,9 @@ gem 'json'

 gem 'eventmachine', '~> 1.2', '>= 1.2.7'
 gem 'thin', '~> 2.0'
-gem 'sinatra', '~> 3.2'
-gem 'rack', '~> 2.2'
-gem 'rack-protection', '~> 3.2.0'
+gem 'sinatra', '~> 4.1'
+gem 'rack', '~> 3.2'
+gem 'rack-protection', '~> 4.1.1'
 gem 'em-websocket', '~> 0.5.3' # WebSocket support
 gem 'uglifier', '~> 4.2'
 gem 'mime-types', '~> 3.7'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -34,7 +34,7 @@ GEM
      io-endpoint
    base64 (0.3.0)
    benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
    browserstack-local (1.4.3)
    byebug (12.0.0)
    capybara (3.40.0)
@@ -48,8 +48,8 @@ GEM
      xpath (~> 3.2)
    coderay (1.1.3)
    concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
-    console (1.33.0)
+    connection_pool (2.5.4)
+    console (1.34.0)
      fiber-annotation
      fiber-local (~> 1.1)
      json
@@ -97,7 +97,7 @@ GEM
    mime-types (3.7.0)
      logger
      mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2025.0819)
+    mime-types-data (3.2025.0902)
    mini_mime (1.1.5)
    minitest (5.25.5)
    mojo_magick (0.6.8)
@@ -154,10 +154,14 @@ GEM
      mojo_magick (~> 0.6.5)
      rqrcode_core (~> 1.0)
    racc (1.8.1)
-    rack (2.2.17)
-    rack-protection (3.2.0)
+    rack (3.2.1)
+    rack-protection (4.1.1)
      base64 (>= 0.1.0)
-      rack (~> 2.2, >= 2.2.4)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
    rack-test (2.2.0)
      rack (>= 1.3)
    rainbow (3.1.1)
@@ -173,7 +177,7 @@ GEM
      http-cookie (>= 1.0.2, < 2.0)
      mime-types (>= 1.16, < 4.0)
      netrc (~> 0.8)
-    rexml (3.4.1)
+    rexml (3.4.3)
    rqrcode_core (1.2.0)
    rr (3.1.2)
    rspec (3.13.1)
@@ -216,10 +220,12 @@ GEM
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 4.0)
      websocket (~> 1.0)
-    sinatra (3.2.0)
+    sinatra (4.1.1)
+      logger (>= 1.6.0)
      mustermann (~> 3.0)
-      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.2.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.1.1)
+      rack-session (>= 2.0.0, < 3)
      tilt (~> 2.0)
    slack-notifier (2.4.0)
    sqlite3 (2.7.3-aarch64-linux-gnu)
@@ -259,7 +265,7 @@ GEM
    tilt (2.6.1)
    timeout (0.4.3)
    timers (4.4.0)
-    tins (1.42.0)
+    tins (1.43.0)
      bigdecimal
      sync
    tzinfo (2.0.6)
@@ -313,8 +319,8 @@ DEPENDENCIES
  parseconfig (~> 1.1, >= 1.1.2)
  pry-byebug (~> 3.11)
  qr4r (~> 0.6.1)
-  rack (~> 2.2)
-  rack-protection (~> 3.2.0)
+  rack (~> 3.2)
+  rack-protection (~> 4.1.1)
  rake (~> 13.3)
  rdoc (~> 6.14)
  rest-client (~> 2.1.0)
@@ -323,7 +329,7 @@ DEPENDENCIES
  rubyzip (~> 3.1)
  rushover (~> 0.3.0)
  selenium-webdriver (~> 4.35)
-  sinatra (~> 3.2)
+  sinatra (~> 4.1)
  slack-notifier (~> 2.4)
  sqlite3 (~> 2.7)
  term-ansicolor
--- a/core/main/handlers/hookedbrowsers.rb
+++ b/core/main/handlers/hookedbrowsers.rb
@@ -71,7 +71,12 @@ module BeEF

          # @note get zombie if already hooked the framework
          hook_session_name = config.get('beef.http.hook_session_name')
-          hook_session_id = request[hook_session_name]
+          hook_session_id =
+            if request.respond_to?(:[])
+              request[hook_session_name]
+            else
+              request.params[hook_session_name] || request.env[hook_session_name]
+            end
          begin
            raise ActiveRecord::RecordNotFound if hook_session_id.nil?

--- a/core/main/network_stack/handlers/dynamicreconstruction.rb
+++ b/core/main/network_stack/handlers/dynamicreconstruction.rb
@@ -70,7 +70,11 @@ module BeEF
                res = JSON.parse(b64).first
                res['beefhook'] = packet[:beefhook]
                res['request'] = request
-                res['beefsession'] = request[BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')]
+                session_key = BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')
+                res['beefsession'] = request.cookies[session_key] ||
+                                    request.params[session_key] ||
+                                    request.env[session_key]
+
                execute(res)
              rescue JSON::ParserError => e
                print_debug 'Network stack could not decode packet stream.'
--- a/extensions/admin_ui/api/handler.rb
+++ b/extensions/admin_ui/api/handler.rb
@@ -149,7 +149,7 @@ module BeEF

            # mount the media folder where we store static files (javascript, css, images, audio) for the admin ui
            media_dir = "#{File.dirname(__FILE__)}/../media/"
-            beef_server.mount("#{bp}/media", Rack::File.new(media_dir))
+            beef_server.mount("#{bp}/media", Rack::Files.new(media_dir))

            # If we're not imitating a web server, mount the favicon to /favicon.ico
            # NOTE: this appears to be broken