Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: actionview
date: 2019-03-13
url: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
cve: 2019-5419
title: Denial of Service Vulnerability in Action View
description: "There is a potential denial of service vulnerability in actionview.\nThis
  vulnerability has been assigned the CVE identifier CVE-2019-5419.\n\nImpact\n------\nSpecially
  crafted accept headers can cause the Action View template location\ncode to consume
  100% CPU, causing the server unable to process requests.  This\nimpacts all Rails
  applications that render views.\n\nAll users running an affected release should
  either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nThis
  vulnerability can be mitigated by wrapping `render` calls with\n`respond_to` blocks.
  \ For example, the following example is vulnerable:\n\n```\nclass UserController
  < ApplicationController\n  def index\n    render \"index\"\n  end\nend\n```\n\nBut
  the following code is not vulnerable:\n\n```\nclass UserController < ApplicationController\n
  \ def index\n    respond_to |format|\n      format.html { render \"index\" }\n    end\n
  \ end\nend\n```\n\nImplicit rendering is impacted, so this code is vulnerable:\n\n```\nclass
  UserController < ApplicationController\n  def index\n  end\nend\n```\n\nBut can
  be changed this this:\n\n```\nclass UserController < ApplicationController\n  def
  index\n    respond_to |format|\n      format.html { render \"index\" }\n    end\n
  \ end\nend\n```\n\nAlternatively to specifying the format, the following monkey
  patch can be\napplied in an initializer:\n\n```\n$ cat config/initializers/formats_filter.rb\n#
  frozen_string_literal: true\n\nActionDispatch::Request.prepend(Module.new do\n  def
  formats\n    super().select do |format|\n      format.symbol || format.ref == \"*/*\"\n
  \   end\n  end\nend)\n```\n\nCredits \n------- \nThanks to John Hawthorn <john@hawthorn.email>
  of GitHub \n"
patched_versions:
- ">= 6.0.0.beta3"
- "~> 5.2.2, >= 5.2.2.1"
- "~> 5.1.6, >= 5.1.6.2"
- "~> 5.0.7, >= 5.0.7.2"
- "~> 4.2.11, >= 4.2.11.1"