====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN290
_____________________________________________________________________

DATE                : 20/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Rails versions prior to 5.2.4.3,
                                    6.0.3.1, 4.2.11.2.

=====================================================================
https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
_____________________________________________________________________

Circumvention of file size limits in ActiveStorage

There is a vulnerability in ActiveStorage's S3 adapter that allows the
Content-Length of a direct file upload to be modified by an end user.
This vulnerability has been assigned the CVE identifier CVE-2020-8162.

Versions Affected:  rails < 5.2.4.2, rails < 6.0.3.1
Not affected:       Applications that do not use the direct upload
functionality of the ActiveStorage S3 adapter.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1


Impact
------

Utilizing this vulnerability, an attacker can control the Content-Length
of an S3 direct upload URL without receiving a new signature from the
server. This could be used to bypass controls in place on the server to
limit upload size.


Releases
--------

Rails 5.2.4.3 and 6.0.3.1 are available on RubyGems.


Workarounds
-----------

This is a low-severity security issue. As such, no workaround is
necessarily until such time as the application can be upgraded.


Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails
5.2.4.2.

* 5-2-activestorage-s3-adapter.patch
* 6-0-activestorage-s3-adapter.patch


Credits
-------

Thanks to Travis Pew (@travisp) for reporting this issue via our
HackerOne bug bounty program and providing a patch.

_____________________________________________________________________

# Possible Strong Parameters Bypass in ActionPack

There is a strong parameters bypass vector in ActionPack. This
vulnerability has been assigned the CVE identifier CVE-2020-8164.

Versions Affected:  rails <= 6.0.3
Not affected:       rails < 4.0.0
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1


Impact
------

In some cases user supplied information can be inadvertently leaked from
Strong Parameters.  Specifically the return value of `each`, or
`each_value`, or `each_pair` will return the underlying "untrusted" hash
of data that was read from the parameters.  Applications that use this
return value may be inadvertently use untrusted user input.


Impacted code will look something like this:

```
def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end
```

Note the mistaken use of `each` in the `clean_up_params` method in the
above example.


Releases
--------
The 5.2.4.3 and 6.0.3.1 releases are available at the normal locations.


Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in
your application.


Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am format
and consist of a single changeset.

* 5-2-strong-params.patch - Patch for 5.2 series
* 6-0-strong-params.patch - Patch for 6.0 series

Please note that only the 6.0 and 5.2 series are supported at present.
Users of earlier unsupported releases are advised to upgrade as soon as
possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.


Credits
-------

Thanks to Achilleas (@abuisman) for reporting this issue via our
HackerOne bug bounty program

_____________________________________________________________________

Potentially unintended unmarshalling of user-provided objects in
MemCacheStore and RedisCacheStore


There is potentially unexpected behaviour in the MemCacheStore and
RedisCacheStore where, when untrusted user input is written to the cache
store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object
instead of plain text. Vulnerable code looks like:

```
data = cache.fetch("demo", raw: true) { untrusted_string }
```

This vulnerability has been assigned the CVE identifier CVE-2020-8165.


Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications not using MemCacheStoer or
RedisCacheStore. Applications that do not use the `raw` option when
storing untrusted user input.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1


Impact
------

Unmarshalling of untrusted user input can have impact up to and
including RCE. At a minimum, this vulnerability allows an attacker to
inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers
should ensure that whenever they are calling `Rails.cache.fetch` they
are using consistent values of the `raw` parameter for both
reading and writing, especially in the case of the RedisCacheStore which
does not, prior to these changes, detect if data was serialized using
the raw option upon deserialization.


Releases
--------

The fixed releases are available on RubyGems.


Workarounds
-----------

It is recommended that application developers apply the suggested patch
or upgrade to the latest release as soon as possible. If this is not
possible, we recommend ensuring that all user-provided strings cached
using the `raw` argument should be double-checked to ensure that they
conform to the expected format.


Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails
5.2.4.2.

* 5-2-cache-storage.patch - Patch for 5.2 series
* 6-0-cache-storage.patch - Patch for 6.0 series


Credits
-------

Thank you to Dylan Thacker-Smith for reporting this vulnerability via
our HackerOne program and providing a comprehensive set of patches.

_____________________________________________________________________

Ability to forge per-form CSRF tokens given a global CSRF token

It is possible to possible to, given a global CSRF token such as the one
present in the authenticity_token meta tag, forge a per-form CSRF token
for any action for that session. This vulnerability has been assigned
the CVE identifier CVE-2020-8166.


Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications without existing HTML injection
vulnerabilities.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1


Impact
------

Given the ability to extract the global CSRF token, an attacker would be
able to construct a per-form CSRF token for that session.

Releases
--------

The fixed releases are available on RubyGems.


Workarounds
-----------

This is a low-severity security issue. As such, no workaround is
necessarily until such time as the application can be upgraded.

Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails
5.2.4.2.

* 5-2-per-form-csrf.patch - Patch for 5.2 series
* 6-0-per-form-csrf.patch - Patch for 6.0 series


Credits
-------

Thanks to https://hackerone.com/jregele for reporting this issue via our
HackerOne bug bounty program.

_____________________________________________________________________

CSRF Vulnerability in rails-ujs

There is an vulnerability in rails-ujs that allows attackers to send
CSRF tokens to wrong domains.
This vulnerability has been assigned the CVE identifier CVE-2020-8167.

Versions Affected:  rails <= 6.0.3
Not affected:       Applications which don't use rails-ujs.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1


Impact
------

This is a regression of CVE-2015-1840.

In the scenario where an attacker might be able to control the href
attribute of an anchor tag or the action attribute of a form tag that
will trigger a POST action, the attacker can set the
href or action to a cross-origin URL, and the CSRF token will be sent.


Releases
--------
The FIXED releases are available at the normal locations.


Workarounds
-----------

To work around this problem, change code that allows users to control
the href attribute of an anchor tag or the action attribute of a form
tag to filter the user parameters.

For example, code like this:

    link_to params

to code like this:

    link_to filtered_params

    def filtered_params
      # Filter just the parameters that you trust
    end


Patches
-------

To aid users who aren't able to upgrade immediately we have provided
patches for the supported release series. They are in git-am format and
consist of a single changeset.

* 5-2-rails-ujs.patch - Patch for 5.2 series
* 6-0-rails-ujs.patch - Patch for 6.0 series


Credits
-------

Thanks to Ben Toews of GitHub for reporting the vulnerability to us.

_____________________________________________________________________

Potential remote code execution of user-provided local names in Rails <
5.0.1

There was a vulnerability in versions of Rails prior to 5.0.1 that would
allow an attacker who controlled the `locals` argument of a `render`
call.

This vulnerability has been assigned the CVE identifier CVE-2020-8163.

Versions Affected:  rails < 5.0.1
Not affected:       Applications that do not allow users to control the
names of locals.
Fixed Versions:     4.2.11.2


Impact
------

In the scenario where an attacker might be able to control the name of a
local passed into `render`, they can acheive remote code execution.


Releases
--------

Users of Rails 5.0 should upgrade to a version >= 5.0.1. This release is
already available on RubyGems.


Workarounds
-----------

Until such time as the patch can be applied, application developers
should ensure that all user-provided local names are alphanumeric.


Patches
-------

As mentioned above, we are releasing the following patch that should
apply cleanly to all releases prior to 5.0.1.

* 4-2-local-variable-restriction.patch


Credits
-------

Thanks to Marc Slemko for reporting this issue via our HackerOne bug
bounty program.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================