From 769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9 Mon Sep 17 00:00:00 2001
From: Arthur Neves <arthurnn@gmail.com>
Date: Tue, 2 Feb 2016 12:34:11 -0500
Subject: Don't allow render(params) in view/controller

`render(params)` is dangerous and could be a vector for attackers.

Don't allow calls to render passing params on views or controllers.

On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.

This patch is also compatible when using strong parameters.

CVE-2016-2098
---
 actionpack/lib/action_view/renderer/renderer.rb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'actionpack/lib/action_view')

diff --git a/actionpack/lib/action_view/renderer/renderer.rb b/actionpack/lib/action_view/renderer/renderer.rb
index bf1b5a7d22..0f359899d6 100644
--- a/actionpack/lib/action_view/renderer/renderer.rb
+++ b/actionpack/lib/action_view/renderer/renderer.rb
@@ -11,6 +11,11 @@ module ActionView
 
     # Main render entry point shared by AV and AC.
     def render(context, options)
+      if (options.is_a?(HashWithIndifferentAccess) && !options.respond_to?(:permitted?)) ||
+         (options.respond_to?(:permitted?) && !options.permitted?)
+        raise ArgumentError, "render parameters are not permitted"
+      end
+
       if options.key?(:partial)
         render_partial(context, options)
       else
-- 
cgit v1.2.3