Reputation: 81530
How do I test whether an app is vulnerable to the sprockets vulnerability?
What web request should I run to test if a Rails application is vulnerable to the sprockets vulnerability CVE-2018-3760?
I've made the necessary changes that ought to make it safe from that issue, but I'd like to test it out by seeing what happens both on a secure version and a non-secure version
I tried http://localhost:3000/assets/file:%2f%2f///Users/agrimm/rails/sprockets_replication/README.rdoc on an example Rails application running in production mode on a development machine using Google Chrome, but it didn't retrieve the file even with an insecure version of sprockets and with config.assets.compile = true in production.rb. (I wouldn't be surprised if the path of the web request is wrong - it's a bit of a wild guess)
Neither https://blog.heroku.com/rails-asset-pipeline-vulnerability nor https://groups.google.com/forum/#!topic/rubyonrails-security/ft_J--l55fM gave examples of how to test for the vulnerability.
Upvotes: 4
Views: 399
Answers (1)
Reputation: 4115
remember that this works with assets so trying with a file that is outside of the assets folder like
/path/to/project/folder/app/assets/config
/path/to/project/folder/app/assets/images
/path/to/project/folder/app/assets/javascripts
/path/to/project/folder/app/assets/stylesheets
/path/to/project/folder/vendor/assets/javascripts
/path/to/project/folder/vendor/assets/stylesheets
or all the assets folder gems wouldn't work.
so the one you are trying wouldn't work because it will throw an error of Sprockets::FileOutsidePaths, it even recognizes that the file exist, because if you see on the log, there is a
Sprockets::FileOutsidePaths (/path/to/project/folder/README.md is no longer under a load path)
and if it doesn't exist, you will see an error of
Sprockets::FileNotFound (could not find file)
so you are on the right path, but needs to try with an asset file on those folders listed, something like:
localhost:3000/assets/file:%2f%2f///path/to/project/folder/app/assets/stylesheets/devise.css
with this you will see an asset being returned by the browser.
And after updating the gem sprockets to 3.7.2, with config.assets.compile = true and try to access again to the same address, you will see a page that just says forbidden and nothing else.
those where my conclusions on the tests that I did on local, and with those instructions you can test the vulnerability that is the objective of the question
Upvotes: 4
Related Questions
- How can I do a health check for a Rails-based app on Render?
- Testing for Threat Safety in Rails
- Rails app exploited, how to find which exploit?
- Is there a better way to test :admin security
- Updated: Free tools for checking security vulnerabilities for rails app
- Common security holes specific to Rails?
- When to test security in a rails application
- Rails check application
- How do I test a rights-managed Rails application?
- How to test akismet in a Rails app?