RubySec

Providing security resources for the Ruby community

CVE-2019-5418 (actionview): File Content Disclosure in Action View

ADVISORIES

GEM

actionview

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

  • ~> 4.2.11, >= 4.2.11.1
  • ~> 5.0.7, >= 5.0.7.2
  • ~> 5.1.6, >= 5.1.6.2
  • ~> 5.2.2, >= 5.2.2.1
  • >= 6.0.0.beta3

DESCRIPTION

There is a possible file content disclosure vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2019-5418.

Versions Affected: All. Not affected: None. Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

Impact

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:

class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file"
  end
end

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.

Workarounds

This vulnerability can be mitigated by specifying a format for file rendering, like this:

class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file", formats: [:html]
  end
end

In summary, impacted calls to render look like this:

render file: "#{Rails.root}/some/file"

The vulnerability can be mitigated by changing to this:

render file: "#{Rails.root}/some/file", formats: [:html]

Other calls to render are not impacted.

Alternatively, the following monkey patch can be applied in an initializer:

$ cat config/initializers/formats_filter.rb
# frozen_string_literal: true

ActionDispatch::Request.prepend(Module.new do
  def formats
    super().select do |format|
      format.symbol || format.ref == "*/*"
    end
  end
end)

Credits

Thanks to John Hawthorn <john@hawthorn.email> of GitHub