Arbitrary file write/potential remote code execution in actionpack_page-caching
There is a vulnerability in the actionpack_page-caching gem that allows an attacker
to write arbitrary files to a web server, potentially resulting in remote code execution
if the attacker can write unescaped ERB to a view.
This vulnerability has been assigned the CVE identifier CVE-2020-8159.
Versions Affected: All versions of actionpack_page-caching (part of Rails prior to Rails 4.0)
Not affected: Applications not using actionpack_page-caching
Fixed Versions: actionpack_page-caching >= 1.2.1
Impact
------
The Action Pack Page Caching gem writes cache files to the file system in
order for the front end webserver (nginx, Apache, etc) to serve the cached
file without making a request to the application server. Paths contain what
is effectively user input can be used to manipulate the location of the cache
file.
For example "/users/123" could be changed to "/users/../../../foo" and this
will escape the cache directory. Attackers can use this technique to
springboard to an RCE if they can write arbitrary ERb to a view folder.
Impacted code looks like this:
```
class BooksController < ApplicationController
caches_page :show
end
```
Where the `show` action of the `BooksController` may be vulnerable.
Releases
--------
The 1.2.1 release is available at the normal locations.
Workarounds
-----------
Until such time as their applications can be upgraded to a fixed version, we
recommend application developers apply the provided patch or disable
actionpack_page-caching entirely by removing calls to `caches_page` from all
controllers.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided a patch that should apply to all
supported releases. They are in git-am format and consist of a single changeset.
* 1-2-normalize-written-paths.patch
Credits
-------
Thanks to
https://hackerone.com/ooooooo_q for reporting this issue via our HackerOne bug bounty program.