Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: actionview
date: 2019-03-13
url: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
cve: 2019-5418
title: File Content Disclosure in Action View
description: |
  There is a possible file content disclosure vulnerability in Action View. This
  vulnerability has been assigned the CVE identifier CVE-2019-5418.

  Versions Affected:  All.
  Not affected:       None.
  Fixed Versions:     6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

  Impact
  ------
  There is a possible file content disclosure vulnerability in Action View.
  Specially crafted accept headers in combination with calls to `render file:`
  can cause arbitrary files on the target server to be rendered, disclosing the
  file contents.

  The impact is limited to calls to `render` which render file contents without
  a specified accept format.  Impacted code in a controller looks something like
  this:

  ```
  class UserController < ApplicationController
    def index
      render file: "#{Rails.root}/some/file"
    end
  end
  ```

  Rendering templates as opposed to files is not impacted by this vulnerability.

  All users running an affected release should either upgrade or use one of the
  workarounds immediately.

  Releases
  --------
  The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are
  available at the normal locations.

  Workarounds
  -----------
  This vulnerability can be mitigated by specifying a format for file rendering,
  like this:

  ```
  class UserController < ApplicationController
    def index
      render file: "#{Rails.root}/some/file", formats: [:html]
    end
  end
  ```

  In summary, impacted calls to `render` look like this:

  ```
  render file: "#{Rails.root}/some/file"
  ```

  The vulnerability can be mitigated by changing to this:

  ```
  render file: "#{Rails.root}/some/file", formats: [:html]
  ```

  Other calls to `render` are not impacted.

  Alternatively, the following monkey patch can be applied in an initializer:

  ```
  $ cat config/initializers/formats_filter.rb
  # frozen_string_literal: true

  ActionDispatch::Request.prepend(Module.new do
    def formats
      super().select do |format|
        format.symbol || format.ref == "*/*"
      end
    end
  end)
  ```

  Credits
  -------
  Thanks to John Hawthorn <john@hawthorn.email> of GitHub
patched_versions:
- "~> 4.2.11, >= 4.2.11.1"
- "~> 5.0.7, >= 5.0.7.2"
- "~> 5.1.6, >= 5.1.6.2"
- "~> 5.2.2, >= 5.2.2.1"
- ">= 6.0.0.beta3"