Hobo Security Hole

Blog ยป Hobo Security Hole

Posted on 02 Dec 2010 22:46

This problem is fixed in 1.0-stable and 1.3

Hobo 1.0.1 and 1.0.2 has a security hole. A hacker can fill you database with unwanted data. Including the file below (config/initializers/fix_hobo_model_controller.rb) in your project, you can prevent the problem:

#config/initializers/fix_hobo_model_controller.rb
 
module FixHoboModelController
    #lib/hobo/model_controller.rb
    def hobo_create(*args, &b)
      options = args.extract_options!
      attributes = options[:attributes] || attribute_parameters || {}
      if self.this ||= args.first
        this.user_update_attributes(current_user, attributes)
      else
        self.this = new_for_create(attributes)
#         this.save  #Original Line
    this.with_acting_user(current_user) {this.save} #SUGGESTED FIX
      end
      create_response(:new, options, &b)
    end
end
 
module ActionController
  class Base
    def self.hobo_model_controller(model=nil)
      @model = model
      include Hobo::ModelController
      include FixHoboModelController
    end
  end
end

This problem is submitted as Ticket #880

One can bypass the authentication and post unwanted data using command line 'curl' to your website.

I discovered the problem executing the functional test below:

require File.dirname(__FILE__) + '/../test_helper'
 
#See
#   https://github.com/thoughtbot/shoulda
#   http://guides.rubyonrails.org/testing.html#functional-tests-for-your-controllers
 
# GET    /items        #=> index
# GET    /items/1      #=> show
# GET    /items/new    #=> new
# GET    /items/1/edit #=> edit
# PUT    /items/1      #=> update
# POST   /items        #=> create
# DELETE /items/1      #=> destroy
 
class OrganizationsControllerTest < ActionController::TestCase
  context "Security:  " do
    setup { 
      @organization = Factory(:organization)
      @attrs = Factory.attributes_for(:organization) }
    context "Guest" do
      #setup {login_as somebody}
      context "(read_actions)" do
        should "get index" do
          get :index
          assert_response :success
        end
        should "get show" do
          get :show, :id=>@organization.id
          assert_response :success
        end
      end
      context "(edit actions)" do
        should "not get new" do
          get :new
          assert_response :success
          assert_no_tag :tag=>'form'
        end 
        should "not get edit" do
          get :edit, :id=>@organization.id
          assert_response :success
          assert_no_tag :tag=>'form'
        end
      end
      context "(write_actions)" do
        should "not post create" do
          count1 = Organization.count
          post :create, :organization => @attrs 
          count2 = Organization.count
          assert_equal count1, count2, "Nothing created"
          assert_response :forbidden
        end
        should "not put update" do
          put :update, :id=>@organization.id, :organization => @attrs 
          assert_response :forbidden
        end
        should "not delete" do
          delete :destroy, :id=>@organization.id
          assert_response :forbidden
        end
      end
    end
  end
end

againist the model:

class Organization < ActiveRecord::Base
 
  hobo_model # Don't put anything above this
 
  fields do
    name :string, :required, :unique, :null=>false, :index=>true
    timestamps
  end
  #index [:name], :unique=>true
 
  # --- Permissions --- #
 
  def create_permitted?
#     puts "create_permitted? #{acting_user.administrator?}"
    acting_user.administrator?
  end
 
  def update_permitted?
    acting_user.administrator?
  end
 
  def destroy_permitted?
    acting_user.administrator?
  end
 
  def view_permitted?(field)
    true
  end
 
end

My advice is to have context "Security: " in the test above in all your functional tests to be aware of security problems. Hobo or not. This test is independent of Hobo.

If you like this page, please spread the word: diggdel.icio.usFacebook

You can contact me if you have questions or corrections.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License