{"id":9352,"date":"2019-09-27T14:19:27","date_gmt":"2019-09-27T17:19:27","guid":{"rendered":"http:\/\/blog.plataformatec.com.br\/?p=9352"},"modified":"2019-09-27T17:07:36","modified_gmt":"2019-09-27T20:07:36","slug":"incorrect-access-control-in-simple-form-cve-2019-16676","status":"publish","type":"post","link":"http:\/\/blog.plataformatec.com.br\/2019\/09\/incorrect-access-control-in-simple-form-cve-2019-16676\/","title":{"rendered":"Incorrect Access Control in Simple Form (CVE-2019-16676)"},"content":{"rendered":"\n<p>Simple Form version&nbsp;<code>5.0<\/code>&nbsp;was released today with a fix for a security issue that could allow an attacker to execute methods on form objects. The issue is explained in details below.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"description\">Description<\/h2>\n\n\n\n<p>The issue applies only to forms that are built using user-supplied input. For example, the following form that builds a label based on user input:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><div><code class=\"hljs language-xml\"><span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">%=<\/span> <span class=\"hljs-attr\">simple_form_for<\/span> @<span class=\"hljs-attr\">user<\/span> <span class=\"hljs-attr\">do<\/span> |<span class=\"hljs-attr\">form<\/span>| %&gt;<\/span>\n  <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">%=<\/span> <span class=\"hljs-attr\">form.label<\/span> @<span class=\"hljs-attr\">user_supplied_string<\/span> %&gt;<\/span>\n  ...\n<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">%<\/span> <span class=\"hljs-attr\">end<\/span> %&gt;<\/span>\n<\/code><\/div><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>In this case, the&nbsp;<code>@user_supplied_string<\/code>&nbsp;would be invoked as a method call in the&nbsp;<code>@user<\/code>&nbsp;object (unless the string contains any of the following:&nbsp;<code>password<\/code>,&nbsp;<code>time_zone<\/code>,&nbsp;<code>country<\/code>,&nbsp;<code>email<\/code>,&nbsp;<code>phone<\/code>&nbsp;or&nbsp;<code>url<\/code>).<\/p>\n\n\n\n<p>If you build your forms with backend-provided information only, your application is not affected by this issue.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"possible-implications\">Possible implications<\/h2>\n\n\n\n<p>By knowing that this breach exists, an attacker could invoke any method on the form object. This means that they could do any of the following:<\/p>\n\n\n\n<ul><li>Code execution (call unintended actions like&nbsp;<code>#destroy<\/code>)<\/li><li>Denial of Service (by executing computation-intensive actions)<\/li><li>Information Disclosure (check the presence of methods, leak user information)<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"cause\">Cause<\/h2>\n\n\n\n<p>The issue is caused by Simple Form\u2019s automatically discover of input types feature. When a form input is provided without the&nbsp;<code>as<\/code>&nbsp;option, the library tries to discover which type that input is. This is done with a regular expression for the most common types. Something like this:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><div><code class=\"hljs language-javascript\"><span class=\"hljs-keyword\">case<\/span> attribute_name.to_s\nwhen \/(?:\\b|\\W|_)password(?:\\b|\\W|_)\/  then :password\nwhen \/(?:\\b|\\W|_)time_zone(?:\\b|\\W|_)\/ then :time_zone\nwhen \/(?:\\b|\\W|_)country(?:\\b|\\W|_)\/   then :country\nwhen \/(?:\\b|\\W|_)email(?:\\b|\\W|_)\/     then :email\nwhen \/(?:\\b|\\W|_)phone(?:\\b|\\W|_)\/     then :tel\nwhen \/(?:\\b|\\W|_)url(?:\\b|\\W|_)\/       then :url\n<\/code><\/div><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>This works for a bunch of input types but it doesn\u2019t for file inputs. In the case of file inputs, they can have a lot of different names &#8211;&nbsp;<code>avatar<\/code>,&nbsp;<code>attachment<\/code>,&nbsp;<code>profile_image<\/code>&nbsp;and so on.<\/p>\n\n\n\n<p>In order to discover file inputs, Simple Form was calling&nbsp;<code>#send<\/code>&nbsp;on the object passing&nbsp;<code>attribute_name<\/code>&nbsp;as the parameter. That would result in an object, which would then later be checked against a list of file methods, to decide whether that attribute should be a file input or not:<\/p>\n\n\n<pre class=\"wp-block-code\"><div><code class=\"hljs\">def file_method?(attribute_name)\n  file = @object.send(attribute_name) if @object.respond_to?(attribute_name)\n  file &amp;&amp; SimpleForm.file_methods.any? { |m| file.respond_to?(m) }\nend\n<\/code><\/div><\/pre>\n\n\n<p>The default value of the&nbsp;<code>SimpleForm.file_methods<\/code>&nbsp;config was:&nbsp;<code>[:mounted_as, :file?, :public_filename, :attached?]<\/code>&nbsp;which are basically methods present in some popular file upload Gems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"solution\">Solution<\/h2>\n\n\n\n<p>Simple Form was changed to check in a different way whether some attribute might be suitable for a file input. It now checks for the presence of methods directly, without calling&nbsp;<code>#send<\/code>. For example, the check for ActiveStorage looks like this:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><div><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@object<\/span>.respond_to?(\"#{<span class=\"hljs-selector-tag\">attribute_name<\/span>}_<span class=\"hljs-selector-tag\">attachment<\/span>\")\n<\/code><\/div><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>The officially supported Gems are:<\/p>\n\n\n\n<ul><li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/rails\/rails\/tree\/6-0-stable\/activestorage\" target=\"_blank\">ActiveStorage<\/a>&nbsp;&gt;= 5.2<\/li><li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/carrierwaveuploader\/carrierwave\" target=\"_blank\">Carrierwave<\/a>&nbsp;&gt;= 0.2.1<\/li><li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/refile\/refile\" target=\"_blank\">Refile<\/a>&nbsp;&gt;= 0.2.0<\/li><li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/shrinerb\/shrine\" target=\"_blank\">Shrine<\/a>&nbsp;&gt;= 0.9.0<\/li><li><a href=\"https:\/\/github.com\/thoughtbot\/paperclip\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Paperclip<\/a>&nbsp;&gt;= 2.0 (for backwards compatibility)<\/li><\/ul>\n\n\n\n<p>Although this new code is harder to maintain, we think it\u2019s worth the tradeoff with more security. See the\u00a0<a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/plataformatec\/simple_form\/commit\/8c91bd76a5052ddf3e3ab9fd8333f9aa7b2e2dd6\" target=\"_blank\">commit<\/a>\u00a0with the solution for more information.<\/p>\n\n\n\n<p><strong>Note:<\/strong>&nbsp;This solution does not support multiple file upload inputs, as this is very application-specific. To render file input for multiple file upload, use the&nbsp;<code>as<\/code>&nbsp;option.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-upgrade\">How to upgrade<\/h2>\n\n\n\n<p>You might have noticed that we released this fix in a major version (<code>5.0<\/code>). This was done because to fix the issue, we had to fully deprecate the&nbsp;<code>SimpleForm.file_methods<\/code>&nbsp;configuration. There are no other breaking changes in this release, so it should be easy to upgrade.<\/p>\n\n\n\n<p>If you had changed the&nbsp;<code>SimpleForm.file_methods<\/code>&nbsp;configuration to include other methods, please check whether they are from one of the supported Gems. If they are, you should be fine without them. If they are from another upload library, please&nbsp;<a href=\"https:\/\/github.com\/plataformatec\/simple_form\/issues\/new\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">open an issue<\/a>&nbsp;asking for support and we\u2019ll take a look into it.<\/p>\n\n\n\n<p>In the meantime, you can explicitly say which type the input is:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><div><code class=\"hljs language-xml\"><span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">%=<\/span> <span class=\"hljs-attr\">form.input<\/span> <span class=\"hljs-attr\">:avatar<\/span>, <span class=\"hljs-attr\">as:<\/span> <span class=\"hljs-attr\">:file<\/span> %&gt;<\/span>\n<\/code><\/div><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\" id=\"cant-upgrade\">Can\u2019t upgrade?<\/h3>\n\n\n\n<p>If you can\u2019t upgrade for any reason but want to be protected from the security breach, you can also explicitly pass the input type &#8211; using&nbsp;<code>as<\/code>&nbsp;&#8211; to your user-based forms. That would make Simple Form return early and not execute the user input on the object.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"acknowledgments\">Acknowledgments<\/h2>\n\n\n\n<p>We want to thank&nbsp;<a href=\"https:\/\/github.com\/tessi\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Philipp Tessenow<\/a>, who reported the issue with all the necessary details and was helpful throughout the steps of the fix until the release. Thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Simple Form version 5.0 was released today with a fix for a security issue that could allow an attacker to execute methods on form objects. The issue is explained in details below.<\/p>\n","protected":false},"author":54,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[105],"aioseo_notices":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/9352"}],"collection":[{"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/users\/54"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/comments?post=9352"}],"version-history":[{"count":16,"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/9352\/revisions"}],"predecessor-version":[{"id":9370,"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/9352\/revisions\/9370"}],"wp:attachment":[{"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/media?parent=9352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/categories?post=9352"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/tags?post=9352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}