Rails Active Storage Path Traversal Vulnerability in Disk Service

A path traversal vulnerability has been identified in the DiskService component of Rails Active Storage, affecting versions 8.1.0 through 8.1.2, 8.0.0 through 8.0.4, and prior to 7.2.3.1. The issue arises because the DiskService#path_for method does not properly validate that the resolved filesystem path stays within the designated storage root. This oversight can be exploited by using a blob key that includes path traversal sequences, such as '../', potentially allowing unauthorized reading, writing, or deletion of files on the server. While blob keys are generally considered trusted, there is a risk that some applications may inadvertently pass user input as keys, leading to exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary file read, write, or delete operations on the server.

Reproduction

The vulnerability can be reproduced by attaching a blob with a key that includes path traversal sequences, such as '../../etc/passwd', to an Active Storage attachment. This can be done by using the ActiveStorage::Blob.create_and_upload! method or by directly attaching a file through the DiskController, which will bypass the normal key validation and allow the traversal to escape the root directory.

Remediation

Users can upgrade to Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1, all of which include the necessary path traversal validation. Instructions for upgrading can be found in the Rails release notes.