|
|
5d04a7 |
From 9c34fa05900b968d74f08ccf40917848a7be9441 Mon Sep 17 00:00:00 2001
|
|
|
5d04a7 |
From: schneems <richard.schneeman+foo@gmail.com>
|
|
|
5d04a7 |
Date: Tue, 24 Apr 2018 16:32:22 -0500
|
|
|
5d04a7 |
Subject: [PATCH] Do not respond to http requests asking for a `file://`
|
|
|
5d04a7 |
|
|
|
5d04a7 |
Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed.
|
|
|
5d04a7 |
|
|
|
5d04a7 |
A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to:
|
|
|
5d04a7 |
|
|
|
5d04a7 |
```ruby
|
|
|
5d04a7 |
config.assets.compile = true # Your app is vulnerable
|
|
|
5d04a7 |
```
|
|
|
5d04a7 |
|
|
|
5d04a7 |
It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`.
|
|
|
5d04a7 |
|
|
|
5d04a7 |
This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server.
|
|
|
5d04a7 |
---
|
|
|
5d04a7 |
test/test_server.rb | 7 +++++++
|
|
|
5d04a7 |
1 file changed, 7 insertions(+), 0 deletion(-)
|
|
|
5d04a7 |
|
|
|
5d04a7 |
diff --git a/test/test_server.rb b/test/test_server.rb
|
|
|
5d04a7 |
index 66429533..19921e19 100644
|
|
|
5d04a7 |
--- a/test/test_server.rb
|
|
|
5d04a7 |
+++ b/test/test_server.rb
|
|
|
5d04a7 |
@@ -320,6 +320,13 @@ def app
|
|
|
5d04a7 |
assert_equal 403, last_response.status
|
|
|
5d04a7 |
end
|
|
|
5d04a7 |
|
|
|
5d04a7 |
+ test "illegal access of a file asset" do
|
|
|
5d04a7 |
+ absolute_path = fixture_path("server/app/javascripts")
|
|
|
5d04a7 |
+
|
|
|
5d04a7 |
+ get "assets/file:%2f%2f//#{absolute_path}/foo.js"
|
|
|
5d04a7 |
+ assert_equal 403, last_response.status
|
|
|
5d04a7 |
+ end
|
|
|
5d04a7 |
+
|
|
|
5d04a7 |
test "add new source to tree" do
|
|
|
5d04a7 |
filename = fixture_path("server/app/javascripts/baz.js")
|
|
|
5d04a7 |
|