Merge pull request #380 from rschultheis/rails_vuln

rails vulns march 13 CVE-2019-5418 and CVE-2019-5420

Author: phillmv

gems/actionview/CVE-2019-5418.yml

@@ -0,0 +1,98 @@
+---
+gem: actionview
+framework: rails
+cve: 2019-5418
+date: 2019-03-13
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
+
+title: File Content Disclosure in Action View
+
+description: |
+  There is a possible file content disclosure vulnerability in Action View. This
+  vulnerability has been assigned the CVE identifier CVE-2019-5418.
+
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
+
+  Impact
+  ------
+  There is a possible file content disclosure vulnerability in Action View.
+  Specially crafted accept headers in combination with calls to `render file:`
+  can cause arbitrary files on the target server to be rendered, disclosing the
+  file contents.
+
+  The impact is limited to calls to `render` which render file contents without
+  a specified accept format.  Impacted code in a controller looks something like
+  this:
+
+  ```
+  class UserController < ApplicationController
+    def index
+      render file: "#{Rails.root}/some/file"
+    end
+  end
+  ```
+
+  Rendering templates as opposed to files is not impacted by this vulnerability.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases
+  --------
+  The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are
+  available at the normal locations.
+
+  Workarounds
+  -----------
+  This vulnerability can be mitigated by specifying a format for file rendering,
+  like this:
+
+  ```
+  class UserController < ApplicationController
+    def index
+      render file: "#{Rails.root}/some/file", formats: [:html]
+    end
+  end
+  ```
+
+  In summary, impacted calls to `render` look like this:
+
+  ```
+  render file: "#{Rails.root}/some/file"
+  ```
+
+  The vulnerability can be mitigated by changing to this:
+
+  ```
+  render file: "#{Rails.root}/some/file", formats: [:html]
+  ```
+
+  Other calls to `render` are not impacted.
+
+  Alternatively, the following monkey patch can be applied in an initializer:
+
+  ```
+  $ cat config/initializers/formats_filter.rb
+  # frozen_string_literal: true
+
+  ActionDispatch::Request.prepend(Module.new do
+    def formats
+      super().select do |format|
+        format.symbol || format.ref == "*/*"
+      end
+    end
+  end)
+  ```
+
+  Credits
+  -------
+  Thanks to John Hawthorn <john@hawthorn.email> of GitHub
+
+patched_versions:
+  - "~> 4.2.11, >= 4.2.11.1"
+  - "~> 5.0.7, >= 5.0.7.2"
+  - "~> 5.1.6, >= 5.1.6.2"
+  - "~> 5.2.2, >= 5.2.2.1"
+  - ">= 6.0.0.beta3"

gems/railties/CVE-2019-5420.yml

@@ -0,0 +1,46 @@
+---
+gem: railties
+framework: rails
+cve: 2019-5420
+date: 2019-03-13
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
+
+title: Possible Remote Code Execution Exploit in Rails Development Mode
+
+description: |
+  There is a possible a possible remote code executing exploit in Rails when in
+  development mode. This vulnerability has been assigned the CVE identifier
+  CVE-2019-5420.
+
+  Versions Affected:  6.0.0.X, 5.2.X.
+  Not affected:       None.
+  Fixed Versions:     6.0.0.beta3, 5.2.2.1
+
+  Impact
+  ------
+  With some knowledge of a target application it is possible for an attacker to
+  guess the automatically generated development mode secret token.  This secret
+  token can be used in combination with other Rails internals to escalate to a
+  remote code execution exploit.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases
+  --------
+  The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.
+
+  Workarounds
+  -----------
+  This issue can be mitigated by specifying a secret key in development mode.
+  In "config/environments/development.rb" add this:
+
+    config.secret_key_base = SecureRandom.hex(64)
+
+  Credits
+  -------
+  Thanks to ooooooo_q
+
+patched_versions:
+  - "~> 5.2.2, >= 5.2.2.1"
+  - ">= 6.0.0.beta3"