ERB Injection vulnerability #825
Comments
|
Good catch. I think the solution is to wrap argument strings in single quotes to prevent interpolation. |
|
Wouldn't I be able to then do (eg)
to get
|
|
No I mean something like this: would generate: |
|
Ahh. As long as you escape closing singlequotes it'd be alright. Another alternative would be to encode (via base64 or similar) the argument strings, then generate a That way you only have to worry about the 64 potentially troublesome characters instead of the entirety of unicode |
|
Base64 is probably too confusing imo. It's definitely is a larger bug with how cms tags are getting parsed and initialized. Gotta make sure it's not possible to send something through content that gets interpolated down the line. PR is welcome, but I'll be looking into this shortly. |
|
Base64 is confusing but you can easily be confident there's no way around it. Ensuring a string can't be closed by blacklisting specific characters means that if you miss anything you have a bug. |
|
Alternatively, this is what liquid templates were built to solve. |
|
Seems that only I looked at Liquid at one time. It does a lot of things I don't need and doesn't do a ton things that I do need. Tag params handling is something I added: https://github.com/GBH/liquid_tag_with_params but then I realised that I'd need to do some really ugly monkey-patching to make it parse content the way CMS does it now. |
|
@DanielHeath Should be fixed now in master. Can you confirm that it fixes your issue? |
|
Yep :) |
Just noticed that there's no escaping in
https://github.com/comfy/comfortable-mexican-sofa/blob/master/lib/comfortable_mexican_sofa/content/tags/helper.rb#L36
If I write:
cms:helper whitelisted_helper foo#{Kernel.exec('poweroff')}it'll get turned into
<%= whitelisted_helper("foo#{Kernel.exec('poweroff')}") %>When ERB interprets this, it'll execute
poweroff.The text was updated successfully, but these errors were encountered: