DEV Community

Cover image for Today’s rails security update in plain english
Alex Sharp 🛠sharesecret.co
Alex Sharp 🛠sharesecret.co

Posted on • Updated on • Originally published at blog.sharesecret.co

Today’s rails security update in plain english

Cross-posted from the ShareSecret blog.


Earlier today the Rails team pushed new versions to patch three security vulnerabilities:

  1. CVE-2019-5418: Action view file content disclosure
  2. CVE-2019-5419: Action view Denial of Service (DOS)
  3. CVE-2019-5420: Rails development mode Remote code execution (RCE)

I’ve addressed the vulnerabilities below in order of severity.

Note: The rails upgrade guide is a great resource for upgrading your rails app.

🚨 🚨 🚨 🚨 🚨 🔥 Action View Denial of Service (DOS)

Alarm level: Five alarm fire. Patch immediately.

If you’re rendering tempates, you’re almost definitely subject to a DOS attack. This one is really bad. Patch/upgrade immediately.

Using specially crafted headers you can max out the CPU by exploiting the template location code. Rendering templates wrapped in a respond_to block is safe. Otherwise, you’re vulnerable.

Vulnerable:

class UserController < ApplicationController 
  def index 
    render "index" 
  end 
end 

Not vulnerable:

class UserController < ApplicationController 
  def index 
    respond_to |format| 
      format.html { render "index" } 
    end 
  end 
end 

Read more

🚨 🚨 🚨 🚨 🚨 🔥 Action View File Content Disclosure

Alarm level: Five alarm fire. Patch immediately.

By using specially crafted headers, you can view an arbitrary file’s content with if you use render file: 'filename'. Not good.

The good news: if you’re just rendering normal templates, you’re not affected by this vulnerability, though you’re probably affected by the CVE-2019-5419.

Read more

🚨 Rails development mode RCE

Alarm level: Not good, but go back to sleep. Fix it in the morning.

Due to how rails generates the secret_key_base in development mode — an MD5 of the app module name — if you know the name of the application, you can figure out the secret key. As long as you don’t have dev mode apps exposed to the public, this isn’t a huge deal, though is still something worth fixing.

Read more


☝️ Be sure to check out Sharesecret, which makes it easy to securely share sensitive data.

Discussion (6)

Collapse
terabytetiger profile image
Tyler V. (he/him)

Alarm level: Five alarm fire. Patch immediately.

Alarm level: Not good, but go back to sleep. Fix it in the morning.

I think we need more breakdowns that use this type of "in your face. Here's how urgent this is" language for security patches. Not in place of the technical details, but preferably in addition to.

As someone that's involved with Rails to the extent of 'maybe I installed it at some point', this article was easy to follow. Great write-up!

Collapse
ajsharp profile image
Alex Sharp 🛠sharesecret.co Author

Hey thanks, I appreciate it, and I agree! There are so many security updates, and it's easy to pass over them when you read the headline.

Collapse
cyc115 profile image
Mike Chen

Rails development mode RCE is a bad one depending on your network layout. A development server can quickly become a pivot point to internal networks if the network is not well segmented.

Collapse
ajsharp profile image
Alex Sharp 🛠sharesecret.co Author

Yea, that's a great point. I'll update the post with a blurb about that.

Collapse
bobwalsh profile image
Bob Walsh

Hey Thanks Alex for sorting out security issues that matter from the noise - will start following your posts!