Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails 5 - Can anyone explain how generating a URL from non-sanitized request parameters is unsafe?

Tags:

security

ruby-on-rails-5

Say I have the following:

link_to "Excel", params.merge(format: 'xlsx')

Rails 5 says,

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

I guess I don't understand how this is unsafe. Anyone can type anything they want in a browser and perform a GET request to my server anyway. What's the difference?

I know I can work around it with permit! What I'm trying to understand is what sanitizing my parameters accomplishes.

like image 333
JP Duffy Avatar asked Aug 25 '16 18:08

JP Duffy

2 Answers

You should review the documentation, both from OWASP as well as Rails itself.

By using permit, you have an opportunity to disallow setting attributes that you don't want passed to your url helper.

Consider the following link, directed to your website, coming from a Twitter post: 

http://example.com/your/action?host=phishingscam.example&path=login

If your code looks like this, you're in trouble: 

link_to 'View Something', params.merge(format: 'xlsx')

Now the link goes to:

http://phishingscam.example/login.xlsx

The attacking website, phishingscam.example, can set the content type to text/html and render a page that looks like your login form. The user, who was on your site a moment ago and clicked to view something on your site, believes they got logged out and need to login again. Now our attacker has the user credentials and can redirect them back over to the appropriate link with the user wholly unaware of what happened.

This is a simple scenario. Things can get convoluted pretty quickly. You should read the Rails security guide to learn more.

like image 91
coreyward Avatar answered Oct 13 '22 10:10

coreyward

The easy way:

if you have something like this:

link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}

You must include in permit the parameters.

You can use this:

link_to title, params.permit(:direction, :page).merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}

Voila!!

like image 43
Eduard Avendaño Avatar answered Oct 13 '22 11:10

Eduard Avendaño
Sign in to Comment

Related questions

Securing a web service?
How does challenge-response protocol help against man-in-the-middle attacks?
Java Access Token PKCS11 Not found Provider
Loading Facebook profile picture securely
Purpose built light-weight alternative to SSL/TLS?
best way to secure simple wysiwyg with php
Is saving MySQL username/password in the php.ini file secure? [duplicate]
What are the best practices to secure a Sinatra application?
Efficiently sanitize user entered text
What "SecretKeyFactory not available" does mean?
Best way to implement ban after too many login attempts [closed]
Node.js: Hooking repl to a remote node server
is it ok to store executables in programdata?
PHP - Storing password for external service securely?
Logging into website via C#
Encrypt the data in a column in SQL Server
Java popup saying applications contains both unsigned and signed code
java.security.cert.CertificateParsingException: signed fields invalid
Google Protocol Buffers C++ implementation stability and security in the face of malicious data
Handling App Transport Security (kCFStreamErrorDomainSSL, -9802)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!