Hacker News new | past | comments | ask | show | jobs | submit login

run this for rails 2.x

  curl -i -H "Content-Type: application/xml" -X POST -d '<id type="yaml">--- !ruby/object:ActionController::Base bar: 1</id>' http://localhost:3000
If in your logs the params[:id] is an object, then you are vulnerable. If it's just a string, then your fix worked.

I put mine in an intializers file.

  ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
  ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')



Thank you, very helpful.

EDIT AGAIN: I think putting it at the end of environment.rb works. I somehow messed it up and got confused, but then I tried it again and it worked. Just make sure you confirm your fix with the curl command!


I can confirm that this method produced the desired change in a Rails 2.1.2 app.


It should work at any place where activesupport has been loaded.


I just updated our app from 2.3.14 to 2.3.15, yet when I run your curl command I'm getting:

    Parameters: {"id"=>#<ActionController::Base:0xb570d2e8 @bar=1>}
Why do you think I'm still unprotected after updating to the fixed version 2.3.15 referenced here? http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3...

Or is there something I'm missing?


You should double check or restart your server or something. I tried it on 2.3.15 and I am getting

  Disallowed type attribute: "yaml"


This is what I had done:

1. Edit Gemfile and change rails version from 2.3.14 to 2.3.15.

2. Commit and push changes

3. bundle exec cap deploy (this is our standard method and works well.)

4. Double check rails -v returns 2.3.15 on production server.

5. On the production server run

    curl -i -H "Content-Type: application/xml" -X POST -d '<id type="yaml">--- !ruby/object:ActionController::Base bar: 1</id>' --insecure http://localhost
Result:

    Parameters: {"id"=>#<ActionController::Base:0xb570d2e8 @bar=1>}
Once I got the curl command to run against my production site (see my comment just below) and saw that it was still vulnerable, I quickly hacked

    ActionController::Base.param_parsers.delete(Mime::XML)
into environments.rb and re-deployed and that fixed it. Now when I run the curl command I get a parameter-less GET request in the log. I still do not understand why updating to 2.3.15 per the recommended method did not fix the problem, but at least our app doesn't need the xml in that way.


Are you running this test against your development or production site? I can't get it to run against my production site, (nothing appears in the log at all,) but I have triple checked everything and am still getting the same unwanted result against my development site.


Are you maybe hitting a cached page on production that can get handled without rails being involved?


Thank you, it turns out I was able to get the curl command to run against production site by adding the --insecure option and using the default port:

    curl -i -H "Content-Type: application/xml" -X POST -d '<id type="yaml">--- !ruby/object:ActionController::Base bar: 1</id>' --insecure https:localhost


Is Rails 1.X vulnerable at all? Tried running the snippet on a Rails 1.X app without any patches, and I got the id as a string, not an object. Why? The Rails guys seemingly implied 1.X is also vulnerable just that they don't give a damn about investigating what would fix it because it's too damn old.


Per pixeltrix's comment it appears that you're safe.

  "If you mean that your Ruby on Rails version is 1.2.6 then, no the vulnerability does not affect you as the feature was introduced in Ruby on Rails 2.0"
source: http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3...


Using the above curl command I was able to verify that an old rails 1.2.3 app that I pretend-maintain for a friend returned the ID as a string. Since it is a string and not an object, it's safe. That's all I know. From what I gather/conjecture, rails 1.x didn't have the functionality that caused this vulnerability in the first place.


I am not quite sure how those 2 lines interfer with my rails 2.0 app (we are using XML features). What exactly is being disabled here? What features will i not able to use anymore after applying this fix?

Thanks for the help!


Is this good or bad:

Parameters: {"action"=>"list", "id"=>#<ActionController::Base:0x6dc4177ed940 @bar=1>, "controller"=>"news"}


Bad. It means you succesfully made an ActionController object .

Good would look something like this:

  Parameters: {"action"=>"index", "id"=>"--- !ruby/object:ActionController::Base


okay - (forgive me). I have a very old project i'm trying to fix. I updated rails to 3.2.11

It's been like 4 years since i did this and haven't touched rails since.

What else do i need to do here to fix this? i Thought rails 3.2.11 was ok..


Rails 3.2.11 is OK. I upgraded a website to it and did nothing else and when I try the curl command ( curl -i -H "Content-Type: application/xml" -X POST -d '<id type="yaml">--- !ruby/object:ActionController::Base bar: 1</id>' http://example.com/ ) I see something like this in the production log:

  Hash::DisallowedType (Disallowed type attribute: "yaml"):
  activesupport (3.2.11) lib/active_support/core_ext/hash/conversions.rb:112:in `typecast_xml_value'


Yeah my site is on a shared host.. and it's picking up a different version of rails. fuuuuck.


If you're running a very old version of rails, it might not be that easy to update to the latest rails version. In that case, just stick this in your config/environment.rb

ActionController::Base.param_parsers.delete(Mime::XML)

This will disable parsing of xml which most people never use anyway




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: