Using strings in polymorphic helpers / CVE-2021-22885

Rails LTS contains a fix for CVE-2021-22885, but this includes a breaking change you can opt out of.

Affected code looks like this

redirect_to(params[:redirect_url])

If params[:redirect_url] was, for example, the array ['my', 'secret'], this would cause the method my_secret_url to be called.

That can be problematic, for example

  • when there is a dangerous ..._path or ..._url method in your application,
  • or when some path in your routes may reveal some kind of secret.

This vulnerability is fixed in Rails LTS by disallowing strings to appear within arrays in all calls to redirect_tourl_for, form_for etc. This mimics the fix in Rails 5+.

Breaking change

This however also means you may no longer use calls like 

redirect_to(['edit', 'backend', @user])
form_for(['invite', @user]) ...

although those uses are perfectly fine. Instead you have to use symbols like

redirect_to([:edit, :backend, @user])

Opt-out mechanism

If you're uncertain whether this could break your application, and don't believe you are vulnerable to the attack described above, you can opt out of this change by adding the following config option to your config/environment.rb / config/application.rb:

config.rails_lts_options = { :default => :hardened, :allow_strings_for_polymorphic_paths => true }

or

config.rails_lts_options = { :default => :compatible, :allow_strings_for_polymorphic_paths => true }

With this setting, the application will no longer raise an error, but only output a warning to your Rails log.

Tobias Kraze 3 months ago
This website uses short-lived cookies to improve usability.
Accept or learn more