Need

Prevention of unauthorized privilege escalation

Context

Description

class UsersController < ApplicationController
  before_action :set_user, only: [:show, :edit, :update, :destroy]

  # GET /users
  # GET /users.json
  def index
    @users = User.all
...

The above code is a typical UsersController in a Ruby on Rails application. There's a major security vulnerability in the `update` action and `user_params` method. In the `update` action, any user can update any other user's details because there is no check to see if the user making the request is allowed to update the details of the user specified by `params[:id]`. The `user_params` method is where the parameters for updating a user are whitelisted. The problem here is that the `:role` parameter is whitelisted. This means that any user can change their role to any value they want, including 'admin'. This allows any authenticated user to escalate their privileges to admin level. This can be exploited by a malicious user to gain admin access and perform actions they are not authorized to do.

class UsersController < ApplicationController
  before_action :set_user, only: [:show, :edit, :update, :destroy]
  before_action :check_role, only: [:update]

  # GET /users
  # GET /users.json
  def index
  end...

The updated code includes a new `before_action` filter, `check_role`, which is only applied to the `update` action. This filter checks if the current user has the admin role before allowing them to perform the update action. If the user is not an admin, they are redirected to the root path with an alert message. The `user_params` method has also been updated to remove `:role` from the list of permitted parameters. This prevents standard users from being able to escalate their privileges by changing their role. This code ensures that only users with the appropriate role or privilege can access the `update` action, effectively mitigating the privilege escalation vulnerability.

References