Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: activemodel
date: 2016-01-25
url: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
cve: 2016-0753
title: Possible Input Validation Circumvention in Active Model
description: "There is a possible input validation circumvention vulnerability in
  Active \nModel. This vulnerability has been assigned the CVE identifier CVE-2016-0753.
  \n\nVersions Affected:  4.1.0 and newer \nNot affected:       4.0.13 and older \nFixed
  Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1 \n\nImpact \n------ \nCode that uses
  Active Model based models (including Active Record models) and \ndoes not validate
  user input before passing it to the model can be subject to \nan attack where specially
  crafted input will cause the model to skip \nvalidations. \n\nVulnerable code will
  look something like this: \n\n```ruby \nSomeModel.new(unverified_user_input) \n```
  \n\nRails users using Strong Parameters are generally not impacted by this issue
  \nas they are encouraged to whitelist parameters and must specifically opt-out \nof
  input verification using the `permit!` method to allow mass assignment. \n\nFor
  example, a vulnerable Rails application will have code that looks like \nthis: \n\n```ruby
  \ndef create \n  params.permit! # allow all parameters \n  @user = User.new params[:users]
  \nend \n``` \n\nActive Model and Active Record objects are not equipped to handle
  arbitrary \nuser input.  It is up to the application to verify input before passing
  it to \nActive Model models.  Rails users already have Strong Parameters in place
  to \nhandle white listing, but applications using Active Model and Active Record
  \noutside of a Rails environment may be impacted. \n\nAll users running an affected
  release should either upgrade or use one of the \nworkarounds immediately. \n\nReleases
  \n-------- \nThe FIXED releases are available at the normal locations. \n\nWorkarounds
  \n----------- \nThere are several workarounds depending on the application.  Inside
  a Rails \napplication, stop using `permit!`.  Outside a Rails application, either
  use \nHash#slice to select the parameters you need, or integrate Strong Parameters
  \nwith your application. \n\nPatches \n------- \nTo aid users who aren't able to
  upgrade immediately we have provided patches for \nthe two supported release series.
  They are in git-am format and consist of a \nsingle changeset. \n\n* 4-1-validation_skip.patch
  - Patch for 4.1 series \n* 4-2-validation_skip.patch - Patch for 4.2 series \n*
  5-0-validation_skip.patch - Patch for 5.0 series \n\nPlease note that only the 4.1.x
  and 4.2.x series are supported at present. Users \nof earlier unsupported releases
  are advised to upgrade as soon as possible as we \ncannot guarantee the continued
  availability of security fixes for unsupported \nreleases. \n\nCredits \n-------
  \nThanks to: \n\n[John Backus](https://github.com/backus) from BlockScore for reporting
  this! \n"
unaffected_versions:
- "<= 4.0.13"
patched_versions:
- "~> 5.0.0.beta1.1"
- "~> 4.2.5, >= 4.2.5.1"
- "~> 4.1.14, >= 4.1.14.1"