Skip to content

Instantly share code, notes, and snippets.

@brenes

brenes/Readme.md

Last active June 7, 2017 04:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save brenes/5197904 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save brenes/5197904 to your computer and use it in GitHub Desktop.
Download ZIP
Rails <= 2.3 patch for CVE-2013-1854, CVE-2013-1855, CVE-2013-1856 and CVE-2013-1857 vulnerabilities
Raw
Readme.md

Rails <= 2.3 patch for CVE-2013-1854, CVE-2013-1855, CVE-2013-1856 and CVE-2013-1857 vulnerabilities

Extracted from official patchs.

  • Add files in '/config/initializers' directory.

Notes

  • CVE-2013-1854 patch had some compatibility issues with has_many_polymorphs as it overwrites the create_reflection method to include the has_many_polymorphs relation. It was solved by including the HMP code into our patch as it should only be executed when a HMP relation is declared.
Raw
cve_2013_1854.rb
# From be764d2c9ce1c8f980f2cf3bf021bdbd5d05f605 Mon Sep 17 00:00:00 2001
# From: Aaron Patterson <aaron.patterson@gmail.com>
# Date: Tue, 5 Mar 2013 14:52:08 -0800
# Subject: [PATCH] stop calling to_sym when building arel nodes
# Drop it at your_app/config/initializers/
# Remember to pass your tests/specs
class ActiveRecord::Base
def self.expand_hash_conditions_for_aggregates(attrs)
expanded_attrs = {}
attrs.each do |attr, value|
unless (aggregation = reflect_on_aggregation(attr)).nil?
mapping = aggregate_mapping(aggregation)
mapping.each do |field_attr, aggregate_attr|
if mapping.size == 1 && !value.respond_to?(aggregate_attr)
expanded_attrs[field_attr] = value
else
expanded_attrs[field_attr] = value.send(aggregate_attr)
end
end
else
expanded_attrs[attr] = value
end
end
expanded_attrs
end
end
module ActiveRecord::Reflection::ClassMethods
def create_reflection(macro, name, options, active_record)
case macro
when :has_many, :belongs_to, :has_one, :has_and_belongs_to_many
klass = options[:through] ? ActiveRecord::Reflection::ThroughReflection : ActiveRecord::Reflection::AssociationReflection
reflection = klass.new(macro, name, options, active_record)
when :composed_of
reflection = ActiveRecord::Reflection::AggregateReflection.new(macro, name, options, active_record)
# this line has been added for compatibility issues with has_many_polymorphs #
when :has_many_polymorphs
reflection = ActiveRecord::Reflection::PolymorphicReflection.new(macro, name, options, active_record)
end
write_inheritable_hiwa :reflections, name => reflection
reflection
end
end
class Class
def write_inheritable_hiwa(key, hash)
write_inheritable_attribute(key, {}.with_indifferent_access) if read_inheritable_attribute(key).nil?
write_inheritable_attribute(key, read_inheritable_attribute(key).merge(hash))
end
end
Raw
cve_2013_1855.rb
# Drop it at your_app/config/initializers/
# Remember to pass your tests/specs
ActiveSupport::XmlMini.backend="REXML"
Raw
cve_2013_1857.rb
# From 10f0e6fe749d818c2d1296c04665a98345029b80 Mon Sep 17 00:00:00 2001
# From: Aaron Patterson <aaron.patterson@gmail.com>
# Date: Fri, 15 Mar 2013 15:04:00 -0700
# Subject: [PATCH] fix protocol checking in sanitization [CVE-2013-1857]
# Drop it at your_app/config/initializers/
# Remember to pass your tests/specs
module HTML
class WhiteListSanitizer
self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
def contains_bad_protocols?(attr_name, value)
uri_attributes.include?(attr_name) &&
(value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end
end
end
@amartinfraguas
Copy link
Copy Markdown

amartinfraguas commented Sep 9, 2013

El archivo cve_2013_1855.rb en realidad es para la vulnerabilidad CVE-2013-1856, este es el parche de la 1855 (según la web oficial https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8 ):

module HTML 
  class WhiteListSanitizer 
      # Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute 
    def sanitize_css(style) 
      # disallow urls 
      style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') 

      # gauntlet 
      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || 
          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ 
        return '' 
      end 

      clean = [] 
      style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| 
        if allowed_css_properties.include?(prop.downcase) 
          clean <<  prop + ': ' + val + ';' 
        elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
          unless val.split().any? do |keyword| 
            !allowed_css_keywords.include?(keyword) && 
              keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ 
          end 
            clean << prop + ': ' + val + ';' 
          end 
        end 
      end 
      clean.join(' ') 
    end 
  end 
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment