Add CVE-2018-3777 for restforce

Author: reedloden

gems/restforce/CVE-2018-3777.yml

@@ -0,0 +1,36 @@
+---
+gem: restforce
+cve: 2018-3777
+date: 2018-07-27
+url: https://github.com/restforce/restforce/pull/392
+title: Insufficient URI encoding in restforce
+description: |
+  A flaw in how restforce constructs URL's may allow an attacker to inject
+  additional parameters into Salesforce API requests.
+
+  Impact
+  ------
+  This flaw is only exploitable in applications that pass user input directly
+  to restforce's select, find, describe, update, upsert, and destroy methods.
+  Vulnerable code might look like:
+
+  ```ruby
+  client.select('SomeSalesForceObject', params[:some-id],
+     ...)
+  ```
+
+  In such an application, attackers could pass `0016000000MRatd/describe`
+  as a request parameter, causing the server to make a request to a different
+  endpoint than the server is designed to handle. Since the Salesforce REST
+  API supports overriding HTTP methods via a request parameter, an attacker
+  could also cause the client's `select()` method to modify data, by passing
+  `0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`.
+
+  Workarounds
+  ------
+  If possible, applications should track salesforce IDs internally, rather than
+  passing user-supplied IDs to salesforce. Such practice mitigates this
+  vulnerability, and in general is desirable for ensuring strong access control.
+
+patched_versions:
+- ">= 3.0.0"