Input Validation Bypass Affecting activemodel package, versions < 5.0.0.beta1.1, >= 4.3 < 4.2.5.1, >= 4.2 < 4.1.14.1, > 4.0.13


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.43% (75th percentile)
Expand this section
NVD
5.3 medium
Expand this section
Red Hat
4.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIVEMODEL-20260
  • published 24 Jan 2016
  • disclosed 24 Jan 2016
  • credit John Backus

Overview

activemodel is a toolkit for building modeling framework like Active Record. Affected versions of this Gem are vulnerable to Input Validation Bypass Attacks.

Details

Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations.

Vulnerable code will look something like this:

SomeModel.new(unverified_user_input)

Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to whitelist parameters and must specifically opt-out of input verification using the permit! method to allow mass assignment. For example, a vulnerable Rails application will have code that looks like this:

def create
params.permit! # allow all parameters
@user = User.new params[:users]
end

Active Model and Active Record objects are not equipped to handle arbitrary user input. It is up to the application to verify input before passing it to Active Model models. Rails users already have Strong Parameters in place to handle white listing, but applications using Active Model and Active Record outside of a Rails environment may be impacted.