Remote code execution of user-provided local names in Rails
Description
A code injection vulnerability exists in Ruby on Rails versions prior to 5.0.1 that allows remote code execution when an attacker can control the locals parameter passed to the render method. By manipulating local variable names, an attacker can inject and execute arbitrary Ruby code on the server. This vulnerability has been assigned the CVE identifier CVE-2020-8163.
Remediation
Upgrade to Ruby on Rails version 5.0.1 or later immediately. This patched version is available on RubyGems and can be updated by modifying your Gemfile:
gem 'rails', '~> 5.0.1'
Then run bundle update rails to apply the update.
Temporary Workaround: If immediate patching is not possible, implement strict input validation to ensure all user-provided local variable names contain only alphanumeric characters. Use a whitelist approach:
allowed_locals = /\A[a-zA-Z0-9_]+\z/
if local_name.match?(allowed_locals)
render locals: { local_name.to_sym => value }
else
# Reject invalid input
raise ArgumentError, 'Invalid local variable name'
endHowever, applying the official patch is strongly recommended as the preferred solution.