Don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same way it is in the controllers. We should raise an error if thats happens. Fix CVE-2016-2098.
rails · Feb 29, 2016 · 9e579ef · 9e579ef
1 parent bb382b7
commit 9e579ef
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
@@ -280,6 +280,16 @@ def accessing_logger_in_template
   end
 end
 
+class MetalWithoutAVTestController < ActionController::Metal
+  include AbstractController::Rendering
+  include ActionController::Rendering
+  include ActionController::StrongParameters
+
+  def dynamic_params_render
+    render params
+  end
+end
+
 class ExpiresInRenderTest < ActionController::TestCase
   tests TestController
 
@@ -299,9 +309,10 @@ def test_dynamic_render
   end
 
   def test_dynamic_render_file_hash
-    assert_raises ArgumentError do
+    e = assert_raises ArgumentError do
       get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }
     end
+    assert_equal "render parameters are not permitted", e.message
   end
 
   def test_expires_in_header
@@ -500,6 +511,17 @@ def test_access_to_logger_in_view
   end
 end
 
+class MetalRenderWithoutAVTest < ActionController::TestCase
+  tests MetalWithoutAVTestController
+
+  def test_dynamic_params_render
+    e = assert_raises ArgumentError do
+      get :dynamic_params_render, { inline: '<%= RUBY_VERSION %>' }
+    end
+    assert_equal "render parameters are not permitted", e.message
+  end
+end
+
 class HeadRenderTest < ActionController::TestCase
   tests TestController
 

diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb
@@ -17,6 +17,10 @@ def initialize(lookup_context)
 
     # Main render entry point shared by AV and AC.
     def render(context, options)
+      if options.respond_to?(:permitted?) && !options.permitted?
+        raise ArgumentError, "render parameters are not permitted"
+      end
+
       if options.key?(:partial)
         render_partial(context, options)
       else

diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb
@@ -148,6 +148,25 @@ def test_render_outside_path
     end
   end
 
+  def test_render_with_strong_parameters
+    params = { :inline => '<%= RUBY_VERSION %>' }
+    def params.permitted?
+      false
+    end
+    e = assert_raises ArgumentError do
+      @view.render(params)
+    end
+    assert_equal "render parameters are not permitted", e.message
+  end
+
+  def test_render_with_permitted_strong_parameters
+    params = { inline: "<%= 'hello' %>" }
+    def params.permitted?
+      true
+    end
+    assert_equal 'hello', @view.render(params)
+  end
+
   def test_render_partial
     assert_equal "only partial", @view.render(:partial => "test/partial_only")
   end