Rails dynamic render

On February 12, 2016, a security researcher named John Poulin published a vulnerability affecting all Ruby on Rails (RoR) versions until that moment.

RoR is a web framework based on Ruby. RoR, to generate views for the user, uses something called action view; this component is responsible for rendering all of the information entered by the user and creating the views for the user to be displayed in the browser.

John Poulin discovered that action view did not validate the input entered to create the view, with a code like this:

    def index
      render params[:id]
    end

This function took the app/views/user/#{params[template]} file to render it. As value for parameter is a file with the .html, .htm or .erb extension, which will be loaded as app/views/user/dashboard.{ext]. This is the normal behavior, but what happens if you enter the value: ../admin/dashboard?

The application returns the path 7 as a result. John Poulin found that, at that moment, the application tried to render the missing dashboard by searching in different paths, including the RAILS_ROOT path, the filesystem root!

Using that, it was possible to extract sensitive files such as /etc/passwd.

The mitigation proposed was just to validate the paths from where action view loads files, using the next code:

def show 
  template = params[:id] 
 
  valid_templates = { 
    "dashboard" => "dashboard", 
    "profile"   => "profile", 
    "deals"   => "deals" 
  } 
 
  if valid_templates.include?(template) 
    render " #{valid_templates[template]}" 
  else 
    # throw exception or 404 
  end 
end

This code just validates that action view can load from "dashboard", "profile", or "deals", and if not there is not in that path, launch a 404 error code. Another option was the following:

def show 
  template = params[:id] 
  d = Dir["myfolder/*.erb"] 
 
  if d.include?("myfolder/#{template}.erb") 
    render "myfolder/#{template}" 
  else 
    # throw exception or 404 
  end 
end

In this code, we limit the search to root folder and, if it's not in the root folder, launch the 404 error code.

This is an interesting example because it affected all of the applications developed with these RoR versions.

If you want to read more about this bug, visit the CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.239.234