Rails LTS (<= 4.2) contains a fix for CVE-2021-22885, but this includes a breaking change you can opt out of. In Rails 5.2 LTS and upward you cannot opt out of this, because it was already fixed in the original 5.2 release.
Affected code looks like this
redirect_to(params[:redirect_url])
If params[:redirect_url] was, for example, the array ['my', 'secret'], this would cause the method my_secret_url to be called.
That can be problematic, for example
- when there is a dangerous
..._pathor..._urlmethod in your application, - or when some path in your routes may reveal some kind of secret.
This vulnerability is fixed in Rails LTS by disallowing strings to appear within arrays in all calls to redirect_to, url_for, form_for etc. This mimics the fix in Rails 5+.
Breaking change
This however also means you may no longer use calls like
redirect_to(['edit', 'backend', @user])
form_for(['invite', @user]) ...
although those uses are perfectly fine. Instead you have to use symbols like
redirect_to([:edit, :backend, @user])
Opt-out mechanism
If you're uncertain whether this could break your application, and don't believe you are vulnerable to the attack described above, you can opt out of this change by adding the following config option to your config/environment.rb / config/application.rb:
config.rails_lts_options = { :default => :hardened, :allow_strings_for_polymorphic_paths => true }
or
config.rails_lts_options = { :default => :compatible, :allow_strings_for_polymorphic_paths => true }
With this setting, the application will no longer raise an error, but only output a warning to your Rails log.
