Get the book

Rails 4.2 Vulnerabilities

In order to calculate Rails 4.2 vulnerabilities we created an application using the latest patch version of Rails 4.2 and we ran bundler-audit to find all known vulnerabilities.

Here we list the security risks related to a sample Rails 4.2 application.


VULNERABLE GEM: ACTIONVIEW@4.2.11

Name: actionview

Version: 4.2.11

ID: CVE-2019-5419

URL: Link

Title: Denial of Service Vulnerability in Action View

Description: There is a potential denial of service vulnerability in actionview. This vulnerability has been assigned the CVE identifier CVE-2019-5419.

IMPACT

Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views.

All users running an affected release should either upgrade or use one of the workarounds immediately.

WORKAROUNDS

This vulnerability can be mitigated by wrapping render calls with respond_to blocks. For example, the following example is vulnerable:


          class UserController < ApplicationController
            def index
              render "index"
            end
          end
        

But the following code is not vulnerable:


          class UserController < ApplicationController
            def index
              respond_to |format|
                format.html { render "index" }
              end
            end
          end
        

Implicit rendering is impacted, so this code is vulnerable:


          class UserController < ApplicationController
            def index
            end
          end
        

But can be changed this this:


          class UserController < ApplicationController
            def index
              respond_to |format|
                format.html { render "index" }
              end
            end
          end
        

Alternatively to specifying the format, the following monkey patch can be applied in an initializer:


          $ cat config/initializers/formats_filter.rb
          # frozen_string_literal: true

          ActionDispatch::Request.prepend(Module.new do
            def formats
              super().select do |format|
                format.symbol || format.ref == "*/*"
              end
            end
          end)
        

VULNERABLE GEM: ACTIONVIEW@4.2.11

Name: actionview

Version: 4.2.11

ID: CVE-2019-5418

URL: Link

Title: File Content Disclosure in Action View

Description: There is a possible file content disclosure vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2019-5418.

Versions Affected: All. Not affected: None. Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

IMPACT

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:


          class UserController < ApplicationController
            def index
              render file: "#{Rails.root}/some/file"
            end
          end
        

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the workarounds immediately.

RELEASES

The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.

WORKAROUNDS

This vulnerability can be mitigated by specifying a format for file rendering, like this:


          class UserController < ApplicationController
            def index
              render file: "#{Rails.root}/some/file", formats: [:html]
            end
          end
        

In summary, impacted calls to render look like this:


          render file: "#{Rails.root}/some/file"
        

The vulnerability can be mitigated by changing to this:


          render file: "#{Rails.root}/some/file", formats: [:html]
        

Other calls to render are not impacted.

Alternatively, the following monkey patch can be applied in an initializer:


          $ cat config/initializers/formats_filter.rb
          # frozen_string_literal: true

          ActionDispatch::Request.prepend(Module.new do
            def formats
              super().select do |format|
                format.symbol || format.ref == "*/*"
              end
            end
          end)