The dangers of using open-uri

    OpenURI in ruby ​​is a standard library that greatly simplifies working with URLs as it combines Net: HTTP / HTTPS / FTP and is just an open method. As far as I know, this is the most popular way to download a file, get a request or read data.

    But in fact, it require "open-uri"patches Kernel.open and calls different code for different arguments, which can lead to remote code execution or reading of any file on the server!

    open(params[:url])this is code execution for url = |lsEverything that starts with | regarded as a system call.

    open(params[:url]) if params[:url] =~ /^http://not better for url = |touch n;\nhttp://url.com( broken regulars can lead to RCE, use \ A \ z ).

    open(URI(params[:url]))reads any file on the server. url = / etc / passwd is a valid URL but open-uri calls the original Kernel.open since the argument does not start with http: //

    open-uri is a great demonstration of how Ruby creates problems from scratch - it patches a critical system method only to read external URLs that most likely contain user input. And it does not warn anyone about this, as Rails once came with an XML parser by default, which led to RCE on absolutely all rail sites.

    Another example: open(params[:url]) if URI(params[:url]).scheme == 'http'. It already looks better, but if you manage to create the http folder: the attacker will be able to read any file usinghttp:/../../../../../etc/passwd(hi CarrierWave!). Of course, it is unlikely that you can create such a folder, but this is a good demonstration of why URL parsing is difficult and what a bad idea it was to extend the open system method instead of creating a separate openURI (url).

    My past thoughts on the issue of magic in rails.

    Also popular now: