Rails 5 - Can anyone explain how generating a URL from non-sanitized request parameters is unsafe?

Question

Say I have the following:

link_to "Excel", params.merge(format: 'xlsx')

Rails 5 says,

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

I guess I don't understand how this is unsafe. Anyone can type anything they want in a browser and perform a GET request to my server anyway. What's the difference?

I know I can work around it with permit! What I'm trying to understand is what sanitizing my parameters accomplishes.

coreyward · Accepted Answer

You should review the documentation, both from OWASP as well as Rails itself.

By using permit, you have an opportunity to disallow setting attributes that you don't want passed to your url helper.

Consider the following link, directed to your website, coming from a Twitter post:

http://example.com/your/action?host=phishingscam.example&path=login

If your code looks like this, you're in trouble:

link_to 'View Something', params.merge(format: 'xlsx')

Now the link goes to:

http://phishingscam.example/login.xlsx

The attacking website, phishingscam.example, can set the content type to text/html and render a page that looks like your login form. The user, who was on your site a moment ago and clicked to view something on your site, believes they got logged out and need to login again. Now our attacker has the user credentials and can redirect them back over to the appropriate link with the user wholly unaware of what happened.

This is a simple scenario. Things can get convoluted pretty quickly. You should read the Rails security guide to learn more.

Rails 5 - Can anyone explain how generating a URL from non-sanitized request parameters is unsafe?

Answers (2)

Related Questions