CSRF Protection Bypass in Ruby on Rails

There is a vulnerability in Ruby on Rails which could allow an attacker to circumvent the CSRF protection provided. This vulnerability has been assigned the CVE Identifier CVE-2011-0447.

  • Versions Affected: 2.1.0 and above
  • Not affected: Applications which don’t use the built in CSRF protection.
  • Fixed Versions: 3.0.4, 2.3.11

Impact

Certain combinations of browser plugins and HTTP redirects can be used to trick the user’s browser into making cross-domain requests which include arbitrary HTTP headers specified by the attacker. An attacker can utilise this to spoof ajax and API requests and bypass the built in CSRF protection and successfully attack an application. All users running an affected release should upgrade or apply the patches immediately.

Releases

The 3.0.4 and 2.3.11 releases are available at the normal locations.

Upgrade Process

There are two major changes in this fix, the behaviour when CSRF protection fails has changed and the token will now be required for all non-GET requests.

After applying this patch failed CSRF requests will no longer generate HTTP 500 errors, instead the session will be reset. Users can override this behaviour by overriding handle_unverified_request in their own controllers.

Users must still take care that users cannot be auto logged in via non-session data. For example, an application using filters to implement ‘remember me’ functionality must either remove those cookies in their handle_unverified_request handlers or ensure that the remember me code is only executed on GET requests. A custom handler which removes the remember_me cookie would look like:

def handle_unverified_request super # call the default behaviour which resets the session cookies.delete(:remember_me) # remove the auto login cookie so the fraudulent request is rejected. end

There are two steps to ensuring that your application sends the CSRF Token with every ajax request. Providing the token in a meta tag, then ensuring your javascript reads those values and provides them with each request. The first step involves you including the csrf_meta_tag helper somewhere in your application’s layout. Rails 3 applications likely already include this helper, however it has now been backported to the 2.3.x series. An example of its use would be something like this in application.html.erb:

<%= javascript_include_tag :defaults %> <%= csrf_meta_tag %>

In addition to altering the templates, an application’s javascript must be changed to send the token with Ajax requests. Rails 3 applications can just update their rails.js file using rake rails:update, 2.x applications which don’t use the built-in ajax view helpers will need to add a framework-specific snippet to their application.js. Examples of those snippets are available:

Workarounds

There are no feasible workarounds for this vulnerability.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format, 3-0-csrf.patch includes two changesets, the others consist of a single changeset.

Given the severity of the problem we are also providing backported fixes to the 2.2 and 2.1 series. There will be no gem releases for these versions but the stable branches in git will be updated.

Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee continued security fixes indefinitely.

Credits

Thanks to Felix Gröbert of the Google Security Team for reporting the vulnerability to us and working with us to ensure that the fix didn’t introduce any new issues. Thanks also to the Shopify development team for their assistance in verifying the fix and the upgrade process. The original vulnerability has been reported to vendors by kuza55

New Releases: 2.3.11 and 3.0.4

Two new versions of Ruby On Rails have been released today. As well as including a number of bugfixes they contain fixes for some security issues. The full details of each of the vulnerabilities are available on the rubyonrails-security mailing list. We strongly urge you to update production Rails applications as soon as possible. Rather than post the advisories individually to this blog, I’ll just link to the google talk archives.

Install the latest version using gem install rails. Or if you’re using bundler, edit your gemfile and run bundle update rails.

Summaries

Affecting 2.×.x and 3.0.x

  • XSS Risk in mail_to :encode=>:javascript”:http://groups.google.com/group/rubyonrails-security/t/f02a48ede8315f81 CVE-2011-0446
  • CSRF Bypass Risk CVE-2011-0447

Affecting 3.0.x only

Conferences for 2011

One of the reasons the Ruby and Rails community is so strong and passionate is because of the awesome regional conferences that happen all around the globe on a yearly basis. Previously on this blog I’ve gone through the list and highlighted a bunch, but since then Ruby There has popped up.

So instead of listing out all the conferences I’m just going to send you over to RubyThere.com.

If you dig the Ruby and Rails community I highly recommend you attend one of these events and maybe volunteer to help or even sponsor if you can afford to. It’s hard work putting on a conference, and most of the organizers do it for the love of the community (and little to no compensation).

Rails for Zombies

This morning my team over at Envy Labs released a free online tutorial called Rails for Zombies. The website combines screencasts with in-browser coding to provide an interactive learning experience teaching the basics of Ruby on Rails.

Rails for Zombies

Learning Rails for the first time should be fun, and Rails for Zombies allows you to get your feet wet without any setup or configuration. At the moment the application has five episodes. Each episode consists of a single screencast followed by a group of exercises which must be completed before moving forward. Once you complete all the labs, you unlock a hidden video which shows you where to go to continue your Rails learning.

If you have any friends who need to get started with Rails, hopefully this will help.

Rails 3.0.3: Faster Active Record plus fixes

How about some free speed? Well, here you go. Rails 3.0.3 includes a much faster version of Active Record that reclaims the performance lost when we went from Rails 2.3.x to 3.x and then some. Aaron Patterson has done a phenomenal job benchmarking, tweaking, and tuning the ARel engine that underpins Active Record 3 and the result is Teh Snappy.

You can read more about Aaron’s work in his ARel 2.0 write-up. If you dare, you can also have a look at his RubyConf slides that went over the rewrite and speed-up in even greater detail (warning: there are slides of boys kissing!).

In addition to the free speed, we’ve also included a truckload of minor fixes. So everything just works better and faster. What more can you ask for? Oh, that it’s a drop-in replacement for Rails 3.0 — there are no API changes. You got it.

See all the changes on Github. Install the latest version using gem install rails. Or bind yourself to the v3.0.3 tag.

Enjoy!

Note: Active Record 3.0.3 is mistakenly reporting its tiny version as 1 instead of 3. This has no impact on anything you do unless you were specifically checking that tiny version. But if it bothers you lots, it’s fixed on the 3-0-stable branch.

Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and 3.0.0

There is a vulnerability in the nested attributes handling code in some versions of Ruby on Rails. An attacker could manipulate form parameters and make changes to records other than those the developer intended. This vulnerability has been assigned the identifier CVE-2010-3933.

  • Versions Affected: 3.0.0, 2.3.9
  • Not affected: Versions earlier than 2.3.9 and applications which do not use accepts_nested_attributes_for
  • Fixed Versions: 3.0.1, 2.3.10

Impact

An attacker could change parameter names for form inputs and make changes to arbitrary records in the system. All users running an affected release should upgrade immediately.

Releases

The 3.0.1 and 2.3.10 releases are available at the normal locations. The 3.0.1 release consists solely of 3.0.0 with the security issue fixed, 3.0.2 will follow shortly and include other bugfixes as well as this fix. 2.3.10 is a regular release in the 2.3 series.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible.

Credits

Thanks to Matti Paksula and Juha Suuraho of Enemy & Sons Ltd for reporting the vulnerability to us and helping verify the fix.

RubyAndRails 2010

RubyEnRails returns this year bigger and better as RubyAndRails 2010, running from 21-22 October in Amsterdam. Talks are in English and entry is just €149,00.

The speaker lineup is shaping up great. Check out the program and sign up now.

RubyAndRails has been run by volunteers for five years now, growing from a friendly regional gathering to an even friendlier all-European event. The Rumble is back this year, too!

Santiago Pastorino joins Rails Core

It’s my pleasure to announce that Santiago Pastorino has joined the Rails Core group. Santiago only started contributing to Rails this year, but has been on fire ever since his first patches were accepted. He’s managed to rack up 380 commits since the beginning of the year.

Santiago is one of the lead developers and co-founder of WyeWorks from Montevideo, Uruguay. He started working full-time with Ruby and Rails in the middle of 2008 after years of Java development. Since early 2010 he is trying to work full-time on OSS and sporadically writes on his company’s blog.

Congratulations!

Ruby on Rails 2.3.9 Released

We’ve released Ruby on Rails 2.3.9 (gem and git tag) to extend the 2.3.8 bridge a few steps closer to Rails 3 and Ruby 1.9. If your app runs on Rails 2.3.9 without deprecation warnings, you’re looking good for an upgrade to Rails 3.

Deprecations

  • Changes i18n named-interpolation syntax from the deprecated Hello to the 1.9-native Hello %{name}.
  • Replaces Kernel#returning with Object#tap which is native to Ruby 1.8.7.
  • Renames Array#random_element to Array#sample which is native to Ruby 1.9.
  • Renames config.load_paths and .load_once_paths to the more accurate config.autoload_paths and .autoload_once_paths.

Along with these deprecations come a broad array of bugfixes and minor tweaks. Read the commit log for the full story.

Onward to 3.1!