---
title: Rails Security
robots: noindex, nofollow
tags: web, security, rails
slideOptions:
previewLinks: true
---
# Rails Security
> Author: Boik
> Email: boik@tdohacker.org
## 0x00 Introduction
Rails is a software library that extends the Ruby programming language. It's often promoted as an MVC web framework, which stands for Model, View, and Controller respectively.
De facto, Web developers are attracted by its simplicity and the priciple of Convention over Configuration, and it has become more popular in recent days.
Despite Rails is a mature framework being used today, Web Security issues are still there. Therefore, this paper will briefly address and give introduction to those discovered vulnerabilities of Rails.
## 0x01 Mass assignment
- The toxic feature we are deeply in love
- We can pass a Hash object to assign multiple attributes at once
- If we don't limit to what attributes can be assigned through a Hash object, some attributes will be modified unexpectedly
![](http://i.imgur.com/gXaxeJW.jpg)
- [Public Key Security Vulnerability and Mitigation](https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation)
- After Rails 3.2.3, `config.active_record.whitelist_attributes = true`
![](http://i.imgur.com/kRE8bqa.jpg)
- After Rails 4, another security enhancement `strong_parameters` has been added, which allows you to filter attributes easily in Controller layer.
## 0x02 Unsafe Query Generation
- It's possible for Rake to generate some unsafe queries when dealing with params
![](http://i.imgur.com/1c2U1b5.jpg)
- We can bypass the check of `.nil?` through forging `params[:token]` to `[]`, `[nil]`, `[nil, nil, ...]` or `['foo', nil]` so as to insert `IS NULL or IN ('foo', NULL)` into SQL query, which might cause the application to behave unexpectedly.
- After Rails 3.2.8, Rails has added a method called `deep_munge` to eliminate `nil`s in Hash object
![](http://i.imgur.com/AXnQull.jpg)
- A small PoC:
- Say we have this code snippet
![](http://i.imgur.com/zIUTDdl.jpg)
- We can bypass the check of `.nil?` in **Rails 3.1.0**
![](http://i.imgur.com/yEQ1Xbq.jpg)
- However, the attack has been mitigated in **Rails 4.2.5**
![](http://i.imgur.com/Ws77oQh.jpg)
## 0x03 Content_tag
- `Content_tag` is a helper for developers to generate HTML elements more quickly
- It can also generate some unsafe HTML sometimes (ref: [brakeman](https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_content_tag.rb))
![](http://i.imgur.com/sgjGz8a.jpg)
- In rails 4.2.5, attributes still can be injected with any HTML data
![](http://i.imgur.com/KV5G0ES.jpg)
- Though the values of attributes get escaped, they are still subject to XSS attack sometimes
- For instance, when `button_to` gets involved
![](http://i.imgur.com/iVMZP9f.jpg)
- Why?
- `Content_tag` will return strings with `html_safe` attribute, and `button_to` won't escape those strings since it considers them `html_safe`
## 0x04 YAML.load
- [CVE-2013-0156](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156)
- Remote Code Execution Vulnerability
- Due to the support of parsing yaml in XML parser, we can craft a special XML payload to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application
- After Rails 3, the parsing of nodes with yaml type have been disallowed by default
```ruby
DISALLOWED_TYPES = %w(symbol yaml)
def initialize(xml, disallowed_types = nil)
@xml = normalize_keys(XmlMini.parse(xml))
@disallowed_types = disallowed_types || DISALLOWED_TYPES
end
```
- [CVE-2013-0333](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333)
- Remote Code Execution Vulnerability
- Before Rails 3.0.19, the default decoder used by default JSON parser is YAML
- Details: http://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html
## 0x05 Dynamic Render Paths
- When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted (ref: [brakeman](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/))
- Before Rails 5, files without a template handler in their extension will be rended using the ERB handler, which might cause remote code execution
- Rails 5 has changed the default template handler from `ERB` to `Raw` (ref: [commit](https://github.com/rails/rails/commit/4be859f0fdf7b3059a28d03c279f03f5938efc80))
- Details: http://devco.re/blog/2015/07/24/the-vulnerability-of-dynamic-render-paths-in-rails/
## 0x06 Reference
- [The Ruby/GitHub hack: translated](http://blog.erratasec.com/2012/03/rubygithub-hack-translated.html)
- [How Does Rack Parse Query Params? With Parse_nested_query](http://codefol.io/posts/How-Does-Rack-Parse-Query-Params-With-parse-nested-query)
- [Cross Site Scripting (Content Tag)](http://brakemanscanner.org/docs/warning_types/content_tag/)
- [Bad coding style can lead to XSS in Ruby on Rails](https://en.internetwache.org/bad-coding-style-can-lead-to-xss-in-ruby-on-rails-14-10-2014/)
- [分析下难得一见的ROR的RCE(CVE-2013-0156)](https://drops.secquan.org/papers/61)
- [Rails PoC exploit for CVE-2013-0333](http://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html)
- [Dynamic Render Paths](http://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)
- [Rails 動態樣板路徑的風險](http://devco.re/blog/2015/07/24/the-vulnerability-of-dynamic-render-paths-in-rails/)