Rails params & gc
We have a drama again in the Rails community. Initial report. There are methods of type find_by_ * that are projected onto models in find_by_title for example and find_by_id.
They can be used as follows.
find_by_id (params [: id], select: “CUSTOM SQL”)
But usually they are used like this
find_by_id (params [: id])
And SQL Injection happens if in params [: id] lies {: select => "CUSTOM SQL"} - the options can be in the first argument.
Note -: select is a character and not a “select” (string). Does this mean that the trick? Id [select] = SQL will not work. the key will be a string. In general, params is a hash of the HashWithIndifferentAccess type. Those in VINCIPLE can not have characters in the keys because they are all destroyed upon creation.
There is such a gem authlogic, in general, it uses find_by_token (token) where token is an object from a session (which is stored in cookies and signed by session_secret). To write to it: select => "SQL" you need to know session_secret, so the vulnerability is extremely rare.
All this SQL Injection CVE is not worth a damn! And for what post? DoS!
I just started to dig further, because I have been using alternative inputs for a long time . Rails accept three types of request.body by default: XML, JSON, x-www-form-urlencoded. The absolute majority of applications use the latter, this is a key like key = val & key2 = val2 But if the client sends the required Content-Type, another parser will be automatically used - XML ​​/ JSON and even YAML, but it is turned off by default.
And XML stuff is flexible. Example - if you send
then the find (params [: id]) code will execute in the same way as find (: all)
Or
The user input is turned into characters — the characters are not removed by the GC. This script can be used to “offend” the application rail from the browser console (the script was deleted so that the scripts could not be used). Try on localhost and watch the memory of the ruby ​​process.
')
patch for application.rb which will turn off alternative parsers
ActionDispatch :: ParamsParser :: DEFAULT_PARSERS = {}
PS but that's not all (there is a revival of the old CVE with [1, nil] via JSON / XML payload)
They can be used as follows.
find_by_id (params [: id], select: “CUSTOM SQL”)
But usually they are used like this
find_by_id (params [: id])
And SQL Injection happens if in params [: id] lies {: select => "CUSTOM SQL"} - the options can be in the first argument.
Note -: select is a character and not a “select” (string). Does this mean that the trick? Id [select] = SQL will not work. the key will be a string. In general, params is a hash of the HashWithIndifferentAccess type. Those in VINCIPLE can not have characters in the keys because they are all destroyed upon creation.
There is such a gem authlogic, in general, it uses find_by_token (token) where token is an object from a session (which is stored in cookies and signed by session_secret). To write to it: select => "SQL" you need to know session_secret, so the vulnerability is extremely rare.
All this SQL Injection CVE is not worth a damn! And for what post? DoS!
I just started to dig further, because I have been using alternative inputs for a long time . Rails accept three types of request.body by default: XML, JSON, x-www-form-urlencoded. The absolute majority of applications use the latter, this is a key like key = val & key2 = val2 But if the client sends the required Content-Type, another parser will be automatically used - XML ​​/ JSON and even YAML, but it is turned off by default.
And XML stuff is flexible. Example - if you send
<id type="symbol">all</id> then the find (params [: id]) code will execute in the same way as find (: all)
Or
<id type="yaml">---....</id> The user input is turned into characters — the characters are not removed by the GC. This script can be used to “offend” the application rail from the browser console (the script was deleted so that the scripts could not be used). Try on localhost and watch the memory of the ruby ​​process.
')
patch for application.rb which will turn off alternative parsers
ActionDispatch :: ParamsParser :: DEFAULT_PARSERS = {}
PS but that's not all (there is a revival of the old CVE with [1, nil] via JSON / XML payload)
Source: https://habr.com/ru/post/164685/
All Articles