Ruby on Rails Action View File Content Disclosure Vulnerability

A file content disclosure vulnerability has been identified in Ruby on Rails versions 5.2.1, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1, and v3. This vulnerability allows arbitrary files on the server's filesystem to be accessed and their contents exposed. The issue arises in Action View when specially crafted accept headers are used with calls to 'render file:', without a specified accept format. As a result, the contents of the targeted files are rendered and disclosed.

Impact

Exploitation of this vulnerability leads to unauthorized access to file contents on the server, potentially including sensitive information such as the Rails secrets file. According to the Rails team, this could be escalated to a remote code execution exploit.

Reproduction

The vulnerability can be reproduced by sending a request to a Rails application with an 'Accept' header that includes a file path traversal payload. This should be combined with a 'render file:' command in a controller, without specifying an accept format. The requested file's contents will be returned in the response, demonstrating the disclosure.

Remediation

Users are advised to upgrade to Ruby on Rails versions 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, or 4.2.11.1. For those unable to upgrade immediately, a workaround is to specify a format for file rendering, or to apply a provided monkey patch that filters request formats.