Rails Active Storage Arbitrary Metadata Injection Vulnerability in Direct Uploads

A vulnerability exists in Rails Active Storage prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, allowing users to inject arbitrary metadata during direct uploads. The `DirectUploadsController` accepts this metadata and saves it to the blob, including internal flags such as `identified` and `analyzed`. This could enable an attacker to manipulate MIME type detection and validation, potentially leading to the upload of malicious content disguised as safe. The issue arises because the metadata store has been improperly used to track internal states that should be managed through dedicated database columns.

Impact

Exploitation of this vulnerability could allow for the injection of harmful files into the application, bypassing Active Storage's built-in content type validations. This could lead to security risks, such as executing malicious code or causing other types of harm, depending on the nature of the uploaded files.

Reproduction

To reproduce this vulnerability, upload a file through the Active Storage direct upload feature. Include metadata that manipulates the `identified` and `analyzed` flags. The uploaded file will bypass MIME type validation, as these flags will be set to indicate a safe content type.

Remediation

Users can upgrade to Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1, where this vulnerability has been patched.