Technical information leak - IPs - Ruby

Technical information leak - IPs - Ruby

Need

Prevention of internal IP address exposure

Context

  • Requirement of Ruby 2.0 or newer for running the application
  • Usage of Rails framework for building web applications

Description

Non compliant code

        class HomeController < ApplicationController
  def index
    @ip_address = request.remote_ip
    render json: { ip: @ip_address }
  end
end
        
        

This Ruby on Rails controller action is vulnerable because it exposes the IP address of the requestor. In the index action of the HomeController, it retrieves the IP address of the request using the request.remote_ip method and then returns this IP address in the JSON response.

This can be considered a technical information leak as it exposes potentially sensitive information about the user's network. An attacker could use this information for malicious purposes, such as IP spoofing, or even to target the user's network for further attacks.

The IP address is considered sensitive information and should not be exposed unnecessarily. It is particularly risky in this case because the IP address is being exposed to anyone who can make a request to this endpoint, without any form of authentication or authorization.

Steps

  • Remove the line that assigns the remote IP address to the @ip_address variable.
  • Do not include the @ip_address variable in the JSON response.
  • Ensure that the web server is properly configured to not expose internal IP addresses.

Compliant code

        class HomeController < ApplicationController
  def index
    render json: { message: "Home Page" }
  end
end
        
        

The original code was exposing the IP address of the client making the request. This is a security vulnerability as it can lead to information leakage. The IP address can be used by malicious actors to gain more information about the network and potentially exploit other vulnerabilities.

The fixed code removes the line that assigns the remote IP address to the @ip_address variable. This means that the IP address is no longer stored in the server-side variable and is therefore not exposed in the JSON response.

The JSON response now only includes a simple message indicating that the request has hit the home page. This ensures that no technical information is leaked through the response.

In addition to this code change, it's important to ensure that the web server is properly configured to not expose internal IP addresses. This can usually be achieved through the server's configuration settings.

References