The dangers of using open-uri

OpenURI in Ruby is a standard library that greatly simplifies working with URLs as it combines Net: HTTP / HTTPS / FTP and is just an open method. As far as I know this is the most popular way to download a file, get a request or read data.

But in fact, require "open-uri" patches Kernel.open and calls different code for different arguments, which can lead to remote code execution or reading any file on the server!

open(params[:url]) is code execution for url = |ls Everything that begins with | considered as a system call.
')
open(params[:url]) if params[:url] =~ /^http:// not better for url = |touch n;\nhttp://url.com ( broken regulars can lead to RCE, use \ A \ z ).

open(URI(params[:url])) reads any file on the server. url = / etc / passwd is a valid URL but open-uri calls the original Kernel.open as the argument does not begin with http: //

open-uri is a great demonstration of how Ruby creates problems from scratch - it patches a critical system method only to read external URLs that most likely contain an user input. And no one warns about this, as Rails once came with an XML parser by default, which led to RCE on absolutely all rail sites.

Another example: open(params[:url]) if URI(params[:url]).scheme == 'http' . It looks better already, but if you manage to create the http folder: the attacker can read any file using http:/../../../../../etc/passwd (hi, CarrierWave!). Of course, it is unlikely that such a folder will be created, but it is a good demonstration of why parsing a URL is difficult and what a bad idea was to extend the system method open instead of creating a separate openURI (url).

My past reflections on the problem of magic in rails.