Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Do not respond to http requests asking for a file://
Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed.

A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to:

```ruby
config.assets.compile = true # Your app is vulnerable
```

It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`.

This patch mitigates the issue, but explicitly disallowing any requests to uri resources via the server.
  • Loading branch information
schneems committed Jun 19, 2018
1 parent ef678cc commit c09131c
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/sprockets/server.rb
Expand Up @@ -114,7 +114,7 @@ def forbidden_request?(path)
#
# http://example.org/assets/../../../etc/passwd
#
path.include?("..") || absolute_path?(path)
path.include?("..") || absolute_path?(path) || path.include?("://")
end

def head_request?(env)
Expand Down
7 changes: 7 additions & 0 deletions test/test_server.rb
Expand Up @@ -286,6 +286,13 @@ def app
assert_equal "", last_response.body
end

test "illegal access of a file asset" do
absolute_path = fixture_path("server/app/javascripts")

get "assets/file:%2f%2f//#{absolute_path}/foo.js"
assert_equal 403, last_response.status
end

test "add new source to tree" do
filename = fixture_path("server/app/javascripts/baz.js")

Expand Down

0 comments on commit c09131c

Please sign in to comment.