File Content Disclosure in Action View
Description
A file content disclosure vulnerability exists in Ruby on Rails Action View that allows attackers to read arbitrary files from the server. When a controller uses render file: without specifying an accept format, specially crafted HTTP Accept headers can manipulate the rendering process to disclose the contents of any file accessible to the application. This vulnerability only affects code that explicitly renders files using the render file: method; standard template rendering is not impacted.
Vulnerable code pattern:
class UserController < ApplicationController
def index
render file: "#{Rails.root}/some/file"
end
endRemediation
Apply one of the following remediation steps immediately:
1. Upgrade Ruby on Rails: Update to a patched version of Rails that addresses CVE-2019-5418. Consult the official Rails security advisory for specific version requirements.
2. Code Remediation: If immediate upgrading is not possible, modify vulnerable code to explicitly specify the format when rendering files:
class UserController < ApplicationController
def index
render file: "#{Rails.root}/some/file", formats: [:html]
end
end3. Avoid File Rendering: Where possible, refactor code to use template rendering instead of direct file rendering, or serve static files through the web server rather than the Rails application.
After applying fixes, audit your codebase for all instances of
render file: to ensure they specify an explicit format or have been refactored.