Merge pull request #3392 from beefproject/red/dev

zinduolis · web-flow · commit bd8ad1fe1e3a · 2025-09-10T08:13:01.000+10:00
Remediate sinatra vulnerability
diff --git a/Gemfile b/Gemfile
@@ -9,9 +9,9 @@ gem 'json'
 
 gem 'eventmachine', '~> 1.2', '>= 1.2.7'
 gem 'thin', '~> 2.0'
-gem 'sinatra', '~> 3.2'
-gem 'rack', '~> 2.2'
-gem 'rack-protection', '~> 3.2.0'
+gem 'sinatra', '~> 4.1'
+gem 'rack', '~> 3.2'
+gem 'rack-protection', '~> 4.1.1'
 gem 'em-websocket', '~> 0.5.3' # WebSocket support
 gem 'uglifier', '~> 4.2'
 gem 'mime-types', '~> 3.7'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -34,7 +34,7 @@ GEM
       io-endpoint
     base64 (0.3.0)
     benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
     browserstack-local (1.4.3)
     byebug (12.0.0)
     capybara (3.40.0)
@@ -48,8 +48,8 @@ GEM
       xpath (~> 3.2)
     coderay (1.1.3)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
-    console (1.33.0)
+    connection_pool (2.5.4)
+    console (1.34.0)
       fiber-annotation
       fiber-local (~> 1.1)
       json
@@ -97,7 +97,7 @@ GEM
     mime-types (3.7.0)
       logger
       mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2025.0819)
+    mime-types-data (3.2025.0902)
     mini_mime (1.1.5)
     minitest (5.25.5)
     mojo_magick (0.6.8)
@@ -154,10 +154,14 @@ GEM
       mojo_magick (~> 0.6.5)
       rqrcode_core (~> 1.0)
     racc (1.8.1)
-    rack (2.2.17)
-    rack-protection (3.2.0)
+    rack (3.2.1)
+    rack-protection (4.1.1)
       base64 (>= 0.1.0)
-      rack (~> 2.2, >= 2.2.4)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
     rack-test (2.2.0)
       rack (>= 1.3)
     rainbow (3.1.1)
@@ -173,7 +177,7 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rexml (3.4.1)
+    rexml (3.4.3)
     rqrcode_core (1.2.0)
     rr (3.1.2)
     rspec (3.13.1)
@@ -216,10 +220,12 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 4.0)
       websocket (~> 1.0)
-    sinatra (3.2.0)
+    sinatra (4.1.1)
+      logger (>= 1.6.0)
       mustermann (~> 3.0)
-      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.2.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.1.1)
+      rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
     slack-notifier (2.4.0)
     sqlite3 (2.7.3-aarch64-linux-gnu)
@@ -259,7 +265,7 @@ GEM
     tilt (2.6.1)
     timeout (0.4.3)
     timers (4.4.0)
-    tins (1.42.0)
+    tins (1.43.0)
       bigdecimal
       sync
     tzinfo (2.0.6)
@@ -313,8 +319,8 @@ DEPENDENCIES
   parseconfig (~> 1.1, >= 1.1.2)
   pry-byebug (~> 3.11)
   qr4r (~> 0.6.1)
-  rack (~> 2.2)
-  rack-protection (~> 3.2.0)
+  rack (~> 3.2)
+  rack-protection (~> 4.1.1)
   rake (~> 13.3)
   rdoc (~> 6.14)
   rest-client (~> 2.1.0)
@@ -323,7 +329,7 @@ DEPENDENCIES
   rubyzip (~> 3.1)
   rushover (~> 0.3.0)
   selenium-webdriver (~> 4.35)
-  sinatra (~> 3.2)
+  sinatra (~> 4.1)
   slack-notifier (~> 2.4)
   sqlite3 (~> 2.7)
   term-ansicolor
diff --git a/core/main/handlers/hookedbrowsers.rb b/core/main/handlers/hookedbrowsers.rb
@@ -71,7 +71,12 @@ def confirm_browser_user_agent(user_agent)
 
           # @note get zombie if already hooked the framework
           hook_session_name = config.get('beef.http.hook_session_name')
-          hook_session_id = request[hook_session_name]
+          hook_session_id =
+            if request.respond_to?(:[])
+              request[hook_session_name]
+            else
+              request.params[hook_session_name] || request.env[hook_session_name]
+            end
           begin
             raise ActiveRecord::RecordNotFound if hook_session_id.nil?
 
diff --git a/core/main/network_stack/handlers/dynamicreconstruction.rb b/core/main/network_stack/handlers/dynamicreconstruction.rb
@@ -70,7 +70,11 @@ def check_packets
                 res = JSON.parse(b64).first
                 res['beefhook'] = packet[:beefhook]
                 res['request'] = request
-                res['beefsession'] = request[BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')]
+                session_key = BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')
+                res['beefsession'] = request.cookies[session_key] ||
+                                    request.params[session_key] ||
+                                    request.env[session_key]
+
                 execute(res)
               rescue JSON::ParserError => e
                 print_debug 'Network stack could not decode packet stream.'
diff --git a/extensions/admin_ui/api/handler.rb b/extensions/admin_ui/api/handler.rb
@@ -149,7 +149,7 @@ def self.mount_handler(beef_server)
 
             # mount the media folder where we store static files (javascript, css, images, audio) for the admin ui
             media_dir = "#{File.dirname(__FILE__)}/../media/"
-            beef_server.mount("#{bp}/media", Rack::File.new(media_dir))
+            beef_server.mount("#{bp}/media", Rack::Files.new(media_dir))
 
             # If we're not imitating a web server, mount the favicon to /favicon.ico
             # NOTE: this appears to be broken
