Skip to content

Commit 6445bea

Browse files
reedlodenreedloden
authored
Merge pull request #265 from reedloden/rails-security-20160811
Add CVE-2016-6316 for actionview and CVE-2016-6317 for activerecord
2 parents 18786e5 + dc235e1 commit 6445bea

File tree

2 files changed

+128
-0
lines changed

2 files changed

+128
-0
lines changed

gems/actionview/CVE-2016-6316.yml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
---
2+
gem: actionview
3+
framework: rails
4+
cve: 2016-6316
5+
date: 2016-08-11
6+
url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
7+
8+
title: Possible XSS Vulnerability in Action View
9+
10+
description: |
11+
There is a possible XSS vulnerability in Action View. Text declared as "HTML
12+
safe" will not have quotes escaped when used as attribute values in tag
13+
helpers.
14+
15+
Impact
16+
------
17+
18+
Text declared as "HTML safe" when passed as an attribute value to a tag helper
19+
will not have quotes escaped which can lead to an XSS attack. Impacted code
20+
looks something like this:
21+
22+
```ruby
23+
content_tag(:div, "hi", title: user_input.html_safe)
24+
```
25+
26+
Some helpers like the `sanitize` helper will automatically mark strings as
27+
"HTML safe", so impacted code could also look something like this:
28+
29+
```ruby
30+
content_tag(:div, "hi", title: sanitize(user_input))
31+
```
32+
33+
All users running an affected release should either upgrade or use one of the
34+
workarounds immediately.
35+
36+
Workarounds
37+
-----------
38+
You can work around this issue by either *not* marking arbitrary user input as
39+
safe, or by manually escaping quotes like this:
40+
41+
```ruby
42+
def escape_quotes(value)
43+
value.gsub(/"/, '"'.freeze)
44+
end
45+
46+
content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
47+
```
48+
49+
unaffected_versions:
50+
- "< 3.0.0"
51+
52+
patched_versions:
53+
- ~> 3.2.22.3
54+
- ~> 4.2.7.1
55+
- ">= 5.0.0.1"

gems/activerecord/CVE-2016-6317.yml

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
---
2+
gem: activerecord
3+
framework: rails
4+
cve: 2016-6317
5+
date: 2016-08-11
6+
url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
7+
8+
title: Unsafe Query Generation Risk in Active Record
9+
10+
description: |
11+
There is a vulnerability when Active Record is used in conjunction with JSON
12+
parameter parsing. This vulnerability is similar to CVE-2012-2660,
13+
CVE-2012-2694 and CVE-2013-0155.
14+
15+
Impact
16+
------
17+
18+
Due to the way Active Record interprets parameters in combination with the way
19+
that JSON parameters are parsed, it is possible for an attacker to issue
20+
unexpected database queries with "IS NULL" or empty where clauses. This issue
21+
does *not* let an attacker insert arbitrary values into an SQL query, however
22+
they can cause the query to check for NULL or eliminate a WHERE clause when
23+
most users wouldn't expect it.
24+
25+
For example, a system has password reset with token functionality:
26+
27+
```ruby
28+
unless params[:token].nil?
29+
user = User.find_by_token(params[:token])
30+
user.reset_password!
31+
end
32+
```
33+
34+
An attacker can craft a request such that `params[:token]` will return
35+
`[nil]`. The `[nil]` value will bypass the test for nil, but will still add
36+
an "IN ('xyz', NULL)" clause to the SQL query.
37+
38+
Similarly, an attacker can craft a request such that `params[:token]` will
39+
return an empty hash. An empty hash will eliminate the WHERE clause of the
40+
query, but can bypass the `nil?` check.
41+
42+
Note that this impacts not only dynamic finders (`find_by_*`) but also
43+
relations (`User.where(:name => params[:name])`).
44+
45+
All users running an affected release should either upgrade or use one of the
46+
work arounds immediately. All users running an affected release should upgrade
47+
immediately. Please note, this vulnerability is a variant of CVE-2012-2660,
48+
CVE-2012-2694, and CVE-2013-0155. Even if you upgraded to address those
49+
issues, you must take action again.
50+
51+
If this chance in behavior impacts your application, you can manually decode
52+
the original values from the request like so:
53+
54+
`ActiveSupport::JSON.decode(request.body)`
55+
56+
Workarounds
57+
-----------
58+
This problem can be mitigated by casting the parameter to a string before
59+
passing it to Active Record. For example:
60+
61+
```ruby
62+
unless params[:token].nil? || params[:token].to_s.empty?
63+
user = User.find_by_token(params[:token].to_s)
64+
user.reset_password!
65+
end
66+
```
67+
68+
unaffected_versions:
69+
- "< 4.2.0"
70+
- ">= 5.0.0"
71+
72+
patched_versions:
73+
- ~> 4.2.7.1

0 commit comments

Comments
 (0)