Michael de Silva's Blog

Software Engineer. Rubyist and Roboticist.

Michael de Silva's Blog

Software Engineer. Rubyist and Roboticist.

Dissecting The Latest Spree and Solidus API Security Vulnerability

Screen shot 2015 07 24 at 23.38.42

Even though this vulnerability was announced on July 17th, I just happened to stumble on a tweet about it.

The important bit to look at in the source is this

diff --git a/api/lib/spree/api/responders/rabl_template.rb b/api/lib/spree/api/responders/rabl_template.rb
index 4a061f4..0b0d31c 100644
--- a/api/lib/spree/api/responders/rabl_template.rb
+++ b/api/lib/spree/api/responders/rabl_template.rb
@@ -14,7 +14,7 @@ module Spree
         end

         def template
-          request.headers['X-Spree-Template'] || controller.params[:template] || options[:default_template]
+          options[:default_template]
         end

So, it makes sense that any template can be asked for either via the X-Spree-Template header or template param.

I wanted to verify this, and spun up a copy of Spree I had on my disk, and toyed a bit with a spec, asking for the README.md file in the Spree app repo and comparing the request body to an empty string. Guess what? The request body contains the README text.

A savvy attacker only needs to ask for config/database.yml and or spelunk through the initializers folder for people following bad-practices and commiting API-keys to disk, rather than loading them via env vars.

Well, hope that clears it up!

comments powered by Disqus