Rails Security Alert – 2014-05-06

Wildcard routes.

There is a vulnerability in the ‘implicit render’ functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130.

Versions Affected: All Supported
Not affected: None
Fixed Versions: 4.1.1, 4.0.5, 3.2.18

Impact
——
The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.

In order to be vulnerable an application must specifically use globbing routes[1] in combination with the :action parameter. The purpose of the route globbing feature is to allow parameters to contain characters which would otherwise be regarded as separators, for example ‘/’ and ‘.’. As these characters have semantic meaning within template filenames, it is highly unlikely that applications are deliberately combining these functions.

To determine if you are vulnerable, search your application’s routes files for ‘*action’ and if you find any, use one of the work arounds below.

Releases
——–
The 4.1.1, 4.0.5 and 3.2.18 releases are available at the normal locations.

Workarounds
———–
The simplest workaround is to simply not use globbing matches for the :action parameter. As action methods cannot contain a ‘/’ character, the simple matching should be sufficient. So replace

get ‘my_url/*action’, controller: ‘asdf’

with

get ‘my_url/:action’, controller: ‘asdf’

If your application depends on this functionality, you will need to rename the route parameter and add an explicit action:

get ‘my_url/*template_path’, controller: ‘asdf’, action: ‘display’

Then add an action which renders explicitly:

def display
if !params[:template_path].index(‘.’)
render file: params[:template_path]
end
end

Note: The path check in this example may not be suitable for your application, take care

Patches
——-
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 4-1-directory_traversal.patch – Patch for 4.1 series
* 4-0-directory_traversal.patch – Patch for 4.0 series
* 3-2-directory_traversal.patch – Patch for 3.2 series

Please note that only the 4.1.x, 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
——-
Thanks to Ville Lautanala of Flowdock for reporting the vulnerability to us, and working with us on a fix.

[1] http://guides.rubyonrails.org/routing.html#route-globbing-and-wildcard-segments

Daily Vitamin #15 – iOS Web Server, Ubuntu 14.04LTS

Lightweight GCD based HTTP server for OS X & iOS (includes web based uploader & WebDAV server)

GCDWebServer was originally written for the ComicFlow comic reader app for iPad. It allow users to connect to their iPad with their web browser over WiFi and then upload, download and organize comic files inside the app.

GCDWebServer

Ubuntu 14.04LTS – New LTS, desktop looks lot more like Mac OS X, which means it’s friendlier to use.

Tips for Starting Haskell

I began recording a series of Haskell screencasts, but as always, had to move all my focus aways from anything personal due to work. Rather than throwing the notes away, I’ll post some of them here as I go through my spring cleaning.

Below are the links I was going to mention in the screencast.

To install Haskell on your Mac, use Homebrew by following these steps:
$ brew update
$ brew install haskell-platform
$ echo 'export PATH=~/.cabal/bin:$PATH' >> ~/.zshrc
$ cabal update

Please be advised that I use zsh, so that’s why the third step is .zshrc. If you use bash, then change that to .bashrc or .profile.

To verify that the installation, start ghci.

cabal is a package manager for the platform. Test the cabal by installing pandoc (since it’s an essential tool, right?) for documentation since we all LOVE documentation. 😉
$ cabal install pandoc

BTSync – Better Alternative to Dropbox

Although I still think that Dropbox is a great service, I just didn’t like the limitation and uneasy feeling of having my files sitting on someone else’s server. That’s why when BTSync came out, I decided to give it a try and it’s been a year since I switched and thought it was about time I gave my thoughts.

I won’t go into technical details here, but it’s not any insecure than other services. You can find more about it at https://www.bittorrent.com/sync

BitTorrent_Sync_Beta

Things I Like

1. The file syncs lot faster between my computers.
2. Works without making me think about it.
3. The files are on my machines and on my server with a web UI. See below.
BitTorrent_Sync
4. Free!!!
5. Automatically syncs anywhere.
6. Did I mention it’s FAST?
7. Super easy to set up.

From Security Now

Final Thoughts

Don’t let the “beta” fool you. I’ve been using this for over a year and didn’t even know that this was still in beta. It’s lot better than Dropbox since it also keeps versions for you just in case you make the mistake of deleting files. I personally believe that BTSync IS the Dropbox killer. I have yet to find anything that would make me think that Dropbox is a better product.

Cocoa’s Nil Behavior to Ruby

As you may or may not know, when you send a message to nil in Cocoa, it doesn’t do anything and certainly doesn’t raise any exception. You may or may not agree with the design, but we’ve all programmed just fine with this fact.

Having said that, what if you wanted the same behavior in Ruby?

NilClass.class_eval { define_method(:method_missing) {|*args| self} }

Is this a good idea?

* this is a code joke, please don’t take it too seriously