Ruby on Rails Active Storage Glob Injection Vulnerability in Disk Service

A vulnerability in Ruby on Rails Active Storage's Disk Service allows for glob injection, which could lead to the unintended deletion of files. This issue is present in Active Storage versions 8.1, 8.0, and prior to 7.2.3.1. The vulnerability arises because the DiskService's delete_prefixed method passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.

Impact

Exploitation of this vulnerability could result in the unintended deletion of files from the storage directory.

Reproduction

To reproduce this vulnerability, upload files using blob keys that include glob metacharacters, such as brackets or asterisks. Then, use the delete_prefixed method with a prefix that contains glob metacharacters. The glob injection will occur because the delete_prefixed method does not escape these metacharacters before passing the prefix to Dir.glob, leading to the deletion of files that match the glob pattern.

Remediation

Users can update to Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1, all of which include the necessary patch to address this vulnerability.