RubySec

Providing security resources for the Ruby community

CVE-2020-8164 (actionpack): Possible Strong Parameters Bypass in ActionPack

ADVISORIES

GEM

actionpack

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 7.5 (High)

UNAFFECTED VERSIONS

  • < 4.0.0

PATCHED VERSIONS

  • ~> 5.2.4, >= 5.2.4.3
  • >= 6.0.3.1

DESCRIPTION

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above example.

Workarounds

Do not use the return values of each, each_value, or each_pair in your application.