|
| 1 | +--- |
| 2 | +gem: actionview |
| 3 | +framework: rails |
| 4 | +cve: 2019-5419 |
| 5 | +date: 2019-03-13 |
| 6 | +url: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI |
| 7 | + |
| 8 | +title: Denial of Service Vulnerability in Action View |
| 9 | + |
| 10 | +description: | |
| 11 | + There is a potential denial of service vulnerability in MODULE / COMPONENT. |
| 12 | + This vulnerability has been assigned the CVE identifier CVE-2019-5419. |
| 13 | +
|
| 14 | + Impact |
| 15 | + ------ |
| 16 | + Specially crafted accept headers can cause the Action View template location |
| 17 | + code to consume 100% CPU, causing the server unable to process requests. This |
| 18 | + impacts all Rails applications that render views. |
| 19 | +
|
| 20 | + All users running an affected release should either upgrade or use one of the |
| 21 | + workarounds immediately. |
| 22 | +
|
| 23 | + Workarounds |
| 24 | + ----------- |
| 25 | + This vulnerability can be mitigated by wrapping `render` calls with |
| 26 | + `respond_to` blocks. For example, the following example is vulnerable: |
| 27 | +
|
| 28 | + ``` |
| 29 | + class UserController < ApplicationController |
| 30 | + def index |
| 31 | + render "index" |
| 32 | + end |
| 33 | + end |
| 34 | + ``` |
| 35 | +
|
| 36 | + But the following code is not vulnerable: |
| 37 | +
|
| 38 | + ``` |
| 39 | + class UserController < ApplicationController |
| 40 | + def index |
| 41 | + respond_to |format| |
| 42 | + format.html { render "index" } |
| 43 | + end |
| 44 | + end |
| 45 | + end |
| 46 | + ``` |
| 47 | +
|
| 48 | + Implicit rendering is impacted, so this code is vulnerable: |
| 49 | +
|
| 50 | + ``` |
| 51 | + class UserController < ApplicationController |
| 52 | + def index |
| 53 | + end |
| 54 | + end |
| 55 | + ``` |
| 56 | +
|
| 57 | + But can be changed this this: |
| 58 | +
|
| 59 | + ``` |
| 60 | + class UserController < ApplicationController |
| 61 | + def index |
| 62 | + respond_to |format| |
| 63 | + format.html { render "index" } |
| 64 | + end |
| 65 | + end |
| 66 | + end |
| 67 | + ``` |
| 68 | +
|
| 69 | + Alternatively to specifying the format, the following monkey patch can be |
| 70 | + applied in an initializer: |
| 71 | +
|
| 72 | + ``` |
| 73 | + $ cat config/initializers/formats_filter.rb |
| 74 | + # frozen_string_literal: true |
| 75 | +
|
| 76 | + ActionDispatch::Request.prepend(Module.new do |
| 77 | + def formats |
| 78 | + super().select do |format| |
| 79 | + format.symbol || format.ref == "*/*" |
| 80 | + end |
| 81 | + end |
| 82 | + end) |
| 83 | + ``` |
| 84 | +
|
| 85 | +patched_versions: |
| 86 | + - ">= 6.0.0.beta3" |
| 87 | + - "~> 5.2.2, >= 5.2.2.1" |
| 88 | + - "~> 5.1.6, >= 5.1.6.2" |
| 89 | + - "~> 5.0.7, >= 5.0.7.2" |
| 90 | + - "~> 4.2.11, >= 4.2.11.1" |
0 commit comments