Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERB Injection vulnerability #825

Closed
DanielHeath opened this issue May 9, 2018 · 10 comments
Closed

ERB Injection vulnerability #825

DanielHeath opened this issue May 9, 2018 · 10 comments
Labels

Comments

@DanielHeath
Copy link

Just noticed that there's no escaping in
https://github.com/comfy/comfortable-mexican-sofa/blob/master/lib/comfortable_mexican_sofa/content/tags/helper.rb#L36

If I write:

cms:helper whitelisted_helper foo#{Kernel.exec('poweroff')}

it'll get turned into

<%= whitelisted_helper("foo#{Kernel.exec('poweroff')}") %>

When ERB interprets this, it'll execute poweroff.

@GBH
Copy link
Member

GBH commented May 9, 2018

Good catch. I think the solution is to wrap argument strings in single quotes to prevent interpolation.

@GBH GBH added the bug label May 9, 2018
@DanielHeath
Copy link
Author

Wouldn't I be able to then do (eg)

cms:helper whitelisted_helper foo'+"#{Kernel.exec('poweroff')}"+'

to get

<%= whitelisted_helper('foo'+"#{Kernel.exec('poweroff')}"+'') %>

@GBH
Copy link
Member

GBH commented May 9, 2018

No I mean something like this:

cms:helper whitelisted_helper foo'+"#{Kernel.exec('poweroff')}"+'

would generate:

<%= whitelisted_helper('foo\'+"#{Kernel.exec(\'poweroff\')}"+\'') %>

@DanielHeath
Copy link
Author

DanielHeath commented May 9, 2018

Ahh. As long as you escape closing singlequotes it'd be alright. Another alternative would be to encode (via base64 or similar) the argument strings, then generate a decode("base64_content").

That way you only have to worry about the 64 potentially troublesome characters instead of the entirety of unicode

@GBH
Copy link
Member

GBH commented May 9, 2018

Base64 is probably too confusing imo. It's definitely is a larger bug with how cms tags are getting parsed and initialized. Gotta make sure it's not possible to send something through content that gets interpolated down the line.

PR is welcome, but I'll be looking into this shortly.

@DanielHeath
Copy link
Author

Base64 is confusing but you can easily be confident there's no way around it.

Ensuring a string can't be closed by blacklisting specific characters means that if you miss anything you have a bug.

@DanielHeath
Copy link
Author

Alternatively, this is what liquid templates were built to solve.

@GBH
Copy link
Member

GBH commented May 9, 2018

Seems that only cms:partial and cms:helper are affected because those are the only tags where I construct content output in a way that strings are getting interpolated.

I looked at Liquid at one time. It does a lot of things I don't need and doesn't do a ton things that I do need. Tag params handling is something I added: https://github.com/GBH/liquid_tag_with_params but then I realised that I'd need to do some really ugly monkey-patching to make it parse content the way CMS does it now.

@GBH GBH closed this as completed in 39ae5e3 May 9, 2018
@GBH
Copy link
Member

GBH commented May 9, 2018

@DanielHeath Should be fixed now in master. Can you confirm that it fixes your issue?

@DanielHeath
Copy link
Author

Yep :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants