Using strings in polymorphic helpers / CVE-2021-22885

Rails LTS (<= 4.2) contains a fix for CVE-2021-22885, but this includes a breaking change you can opt out of. In Rails 5.2 LTS you cannot opt out of this, because it was already fixed in the original 5.2 release.

Affected code looks like this


If params[:redirect_url] was, for example, the array ['my', 'secret'], this would cause the method my_secret_url to be called.

That can be problematic, for example

  • when there is a dangerous ..._path or ..._url method in your application,
  • or when some path in your routes may reveal some kind of secret.

This vulnerability is fixed in Rails LTS by disallowing strings to appear within arrays in all calls to redirect_tourl_for, form_for etc. This mimics the fix in Rails 5+.

Breaking change

This however also means you may no longer use calls like 

redirect_to(['edit', 'backend', @user])
form_for(['invite', @user]) ...

although those uses are perfectly fine. Instead you have to use symbols like

redirect_to([:edit, :backend, @user])

Opt-out mechanism

If you're uncertain whether this could break your application, and don't believe you are vulnerable to the attack described above, you can opt out of this change by adding the following config option to your config/environment.rb / config/application.rb:

config.rails_lts_options = { :default => :hardened, :allow_strings_for_polymorphic_paths => true }


config.rails_lts_options = { :default => :compatible, :allow_strings_for_polymorphic_paths => true }

With this setting, the application will no longer raise an error, but only output a warning to your Rails log.

Tobias Kraze Over 2 years ago