Paperclip gem SSRF (Server side request forgery)
Description
The Paperclip gem for Ruby on Rails provides file attachment management for ActiveRecord models. Versions prior to 5.2.0 contain a Server Side Request Forgery (SSRF) vulnerability in two IO adapters (http_url_proxy_adapter.rb and uri_adapter.rb) that accept URLs as attachment sources. When a URL beginning with http:// or https:// is provided as attachment data, Paperclip downloads the file from the specified URI without validating the destination. This allows attackers to force the application server to make arbitrary HTTP requests to internal network resources, cloud metadata services, or other systems that should not be directly accessible.
Remediation
Update the Paperclip gem to version 5.2.0 or later, which includes validation to prevent SSRF attacks. To upgrade, update your Gemfile:
gem 'paperclip', '~> 5.2.0'
Then run:
bundle update paperclip
If immediate upgrading is not possible, implement the following mitigations:
- Validate and sanitize all user-supplied URLs before passing them to Paperclip
- Use an allowlist of permitted domains for file uploads
- Reject URLs pointing to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16)
- Implement network-level controls to restrict outbound requests from application servers