Rails is a software library that extends the Ruby programming language. It's often promoted as an MVC web framework, which stands for Model, View, and Controller respectively.
De facto, Web developers are attracted by its simplicity and the priciple of Convention over Configuration, and it has become more popular in recent days.
Despite Rails is a mature framework being used today, Web Security issues are still there. Therefore, this paper will briefly address and give introduction to those discovered vulnerabilities of Rails.
0x01 Mass assignment
The toxic feature we are deeply in love
We can pass a Hash object to assign multiple attributes at once
If we don't limit to what attributes can be assigned through a Hash object, some attributes will be modified unexpectedly
We can bypass the check of .nil? through forging params[:token] to [], [nil], [nil, nil, ...] or ['foo', nil] so as to insert IS NULL or IN ('foo', NULL) into SQL query, which might cause the application to behave unexpectedly.
After Rails 3.2.8, Rails has added a method called deep_munge to eliminate nils in Hash object
Due to the support of parsing yaml in XML parser, we can craft a special XML payload to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application
After Rails 3, the parsing of nodes with yaml type have been disallowed by default
When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted (ref: brakeman)
Before Rails 5, files without a template handler in their extension will be rended using the ERB handler, which might cause remote code execution
Rails 5 has changed the default template handler from ERB to Raw (ref: commit)