View Component Preview Route Inheritance Vulnerability Allowing Internal Template Access

A vulnerability exists in the View Component framework for Ruby on Rails, specifically in versions 3.0.0 prior to 4.9.0. The issue arises in the preview route, which automatically derives example names from the URL and invokes them using public_send. This process lacks proper validation to ensure that the requested method is one of the explicitly defined preview examples. Consequently, inherited public methods from ViewComponent::Preview become accessible through the route. The most critical of these methods is render_with_template, which accepts template and locals parameters. These values can be sourced from request parameters and are subsequently passed to Rails as render template. If previews are exposed, an attacker could leverage this vulnerability to render internal Rails templates that are not normally accessible via routing.

Impact

Exploitation of this vulnerability allows for the unauthorized rendering of internal Rails templates through the preview route, potentially exposing sensitive information such as secrets, configuration data, debug information, admin-only partials, or values derived from the request or session.

Reproduction

To reproduce this vulnerability, access a preview route that invokes an inherited method not explicitly defined as a preview example. The request can include parameters that control the template and locals values, which are then used to render a template that is not normally routable, such as one containing sensitive information.

Remediation

Users can upgrade to View Component version 4.9.0 or later, where this vulnerability has been fixed.