From 1b84d905801125fcca0c8f43bf6af7d7872ac87e Mon Sep 17 00:00:00 2001 From: Arthur Neves Date: Wed, 24 Feb 2016 20:29:10 -0500 Subject: [PATCH 2/2] Don't allow render(params) on views. If `render(params)` is called in a view it should be protected the same way it is in the controllers. We should raise an error if thats happens. Fix CVE-2016-2098. --- actionpack/test/controller/render_test.rb | 24 +++++++++++++++++++++++- actionview/lib/action_view/renderer/renderer.rb | 4 ++++ actionview/test/template/render_test.rb | 19 +++++++++++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb index 0fcbb86..7bdf65c 100644 --- a/actionpack/test/controller/render_test.rb +++ b/actionpack/test/controller/render_test.rb @@ -1534,6 +1534,16 @@ class MetalTestController < ActionController::Metal end end +class MetalWithoutAVTestController < ActionController::Metal + include AbstractController::Rendering + include ActionController::Rendering + include ActionController::StrongParameters + + def dynamic_params_render + render params + end +end + class ExpiresInRenderTest < ActionController::TestCase tests TestController @@ -1563,9 +1573,10 @@ class ExpiresInRenderTest < ActionController::TestCase end def test_dynamic_render_file_hash - assert_raises ArgumentError do + e = assert_raises ArgumentError do get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } } end + assert_equal "render parameters are not permitted", e.message end def test_expires_in_header @@ -1744,3 +1755,14 @@ class MetalRenderTest < ActionController::TestCase assert_equal "NilClass", @response.body end end + +class MetalRenderWithoutAVTest < ActionController::TestCase + tests MetalWithoutAVTestController + + def test_dynamic_params_render + e = assert_raises ArgumentError do + get :dynamic_params_render, { inline: '<%= RUBY_VERSION %>' } + end + assert_equal "render parameters are not permitted", e.message + end +end diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb index 964b183..5ba7b2b 100644 --- a/actionview/lib/action_view/renderer/renderer.rb +++ b/actionview/lib/action_view/renderer/renderer.rb @@ -17,6 +17,10 @@ module ActionView # Main render entry point shared by AV and AC. def render(context, options) + if options.respond_to?(:permitted?) && !options.permitted? + raise ArgumentError, "render parameters are not permitted" + end + if options.key?(:partial) render_partial(context, options) else diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb index caf6d13..b3de94f 100644 --- a/actionview/test/template/render_test.rb +++ b/actionview/test/template/render_test.rb @@ -149,6 +149,25 @@ module RenderTestCases end end + def test_render_with_strong_parameters + params = { :inline => '<%= RUBY_VERSION %>' } + def params.permitted? + false + end + e = assert_raises ArgumentError do + @view.render(params) + end + assert_equal "render parameters are not permitted", e.message + end + + def test_render_with_permitted_strong_parameters + params = { inline: "<%= 'hello' %>" } + def params.permitted? + true + end + assert_equal 'hello', @view.render(params) + end + def test_render_partial assert_equal "only partial", @view.render(:partial => "test/partial_only") end -- 2.5.4 (Apple Git-61)