View Component Path Traversal Vulnerability in System Test Entrypoint

A path traversal vulnerability has been identified in the View Component framework for Ruby on Rails, affecting versions 3.0.0 through 4.9.0. The issue arises in the system test entrypoint, where user-controlled file paths are canonicalized using File.realpath. The subsequent containment check, which verifies if the resolved path begins with the temporary directory path, is flawed. This is because sibling directories can share the same prefix, allowing for unauthorized file access.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files outside the intended directory, potentially allowing sensitive information to be read or manipulated.

Reproduction

To reproduce this vulnerability, create a file in a sibling directory of the temporary view components directory. Then, send a request to the system test entrypoint, including a parameter that references the crafted file using a relative path that escapes the base directory. The response should indicate successful exploitation by including the contents of the accessed file.

Remediation

Users are advised to update to View Component version 4.9.0 or later, where this vulnerability has been fixed.