diff options
| author | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-23 16:31:52 +0100 |
|---|---|---|
| committer | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-28 20:29:38 +0100 |
| commit | 69ab91ae9396f0101afd13871f179a7f779d3178 (patch) | |
| tree | 5fea152a7fce596367503badf11bc21fe2e4e0c4 /guides/source/security.md | |
| parent | b9cd5a29dd4c6142b19c861fbf1a67452320b3dd (diff) | |
| download | rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.gz rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.bz2 rails-69ab91ae9396f0101afd13871f179a7f779d3178.zip | |
Log which keys were set to nil in deep_munge
deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.
Also mentions in guides were added.
Diffstat (limited to 'guides/source/security.md')
| -rw-r--r-- | guides/source/security.md | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index cffe7c85f1..70fb066b64 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -915,6 +915,49 @@ Content-Type: text/html Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._ +Unsafe Query Generation +----------------------- + +Due to the way Active Record interprets parameters in combination with the way +that Rack parses query parameters it was possible to issue unexpected database +queries with `IS NULL` where clauses. As a response to that security issue +([CVE-2012-2660](https://groups.google.com/forum/#!searchin/rubyonrails-security/deep_munge/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ), +[CVE-2012-2694](https://groups.google.com/forum/#!searchin/rubyonrails-security/deep_munge/rubyonrails-security/jILZ34tAHF4/7x0hLH-o0-IJ) +and [CVE-2013-0155](https://groups.google.com/forum/#!searchin/rubyonrails-security/CVE-2012-2660/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ)) +`deep_munge` method was introduced as a solution to keep Rails secure by default. + +Example of vulnerable code that could be used by attacker, if `deep_munge` +wasn't performed is: + +```ruby +unless params[:token].nil? + user = User.find_by_token(params[:token]) + user.reset_password! +end +``` + +When `params[:token]` is one of: `[]`, `[nil]`, `[nil, nil, ...]` or +`['foo', nil]` it will bypass the test for `nil`, but `IS NULL` or +`IN ('foo', NULL)` where clauses still will be added to the SQL query. + +To keep rails secure by default, `deep_munge` replaces some of the values with +`nil`. Below table shows what the parameters look like based on `JSON` sent in +request: + +| JSON | Parameters | +|-----------------------------------|--------------------------| +| `{ "person": null }` | `{ :person => nil }` | +| `{ "person": [] }` | `{ :person => nil }` | +| `{ "person": [null] }` | `{ :person => nil }` | +| `{ "person": [null, null, ...] }` | `{ :person => nil }` | +| `{ "person": ["foo", null] }` | `{ :person => ["foo"] }` | + +It is possible to return to old behaviour and disable `deep_munge` configuring +your application if you are aware of the risk and know how to handle it: + +```ruby +config.action_dispatch.perform_deep_munge = false +``` Default Headers --------------- |