27 cards
Posted over 1 year ago. Visible to the public.

Using strings in polymorphic helpers / CVE-2021-22885

Rails LTS (<= 4.2) contains a fix for CVE-2021-22885, but this includes a breaking change you can opt out of. In Rails 5.2 LTS you cannot opt out of this, because it was already fixed in the original 5.2 release.

Affected code looks like this

Copy
redirect_to(params[:redirect_url])

If params[:redirect_url] was, for example, the array ['my', 'secret'], this would cause the method my_secret_url to be called.

That can be problematic, for example

  • when there is a dangerous ..._path or ..._url method in your application,
  • or when some path in your routes may reveal some kind of secret.

This vulnerability is fixed in Rails LTS by disallowing strings to appear within arrays in all calls to redirect_tourl_for, form_for etc. This mimics the fix in Rails 5+.

Breaking change

This however also means you may no longer use calls like 

Copy
redirect_to(['edit', 'backend', @user]) form_for(['invite', @user]) ...

although those uses are perfectly fine. Instead you have to use symbols like

Copy
redirect_to([:edit, :backend, @user])

Opt-out mechanism

If you're uncertain whether this could break your application, and don't believe you are vulnerable to the attack described above, you can opt out of this change by adding the following config option to your config/environment.rb / config/application.rb:

Copy
config.rails_lts_options = { :default => :hardened, :allow_strings_for_polymorphic_paths => true }

or

Copy
config.rails_lts_options = { :default => :compatible, :allow_strings_for_polymorphic_paths => true }

With this setting, the application will no longer raise an error, but only output a warning to your Rails log.

makandra has been working exclusively with Ruby on Rails since 2007. Our laser focus on a single technology has made us a leader in this space.

Owner of this card:

Avatar
Tobias Kraze
Last edit:
10 months ago
by Tobias Kraze
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
This website uses short-lived cookies to improve usability.
Accept or learn more