Ruby on Rails: Missing resource identifier encoding may lead to security vulnerabilities

2020-02-2420:41:03

jobert

hackerone.com

EPSS

0.002

Percentile

55.1%

JSON

(I initially submitted this to the GitHub repository because the ActiveResource repository is not listed in scope. I was redirected here by @rafaelfranca)

A number of methods in the ActiveResource library, such as ActiveResource::Base#find and ActiveResource::Base#exists? don’t URL encode the resource identifier that is passed to them. Consider the following code:

require 'activeresource'
 
 class Test &lt; ActiveResource::Base
   self.site = 'http://127.0.0.1:8080'
end

Test.exists? '?a=1'

The code above is expected to make a request to http://127.0.0.1:8080/tests/%3fa%3d1.json by properly URL encoding the resource identifier. Instead, it makes a request to http://127.0.0.1:8080/tests/?a=1.json.

This was tested against ActiveResource 5.1.0 and 5.0.0, both have the same unexpected behavior.

Impact

Because the index /tests/ returns an array of objects, the code will throw an exception. However, due to the time difference that could be observed, an attacker could potentially exploit this by injecting a filter parameter to index endpoint of the resource. E.g.