Blog ยป Hobo Security Hole
Posted on 02 Dec 2010 22:46
This problem is fixed in 1.0-stable and 1.3
Hobo 1.0.1 and 1.0.2 has a security hole. A hacker can fill you database with unwanted data. Including the file below (config/initializers/fix_hobo_model_controller.rb) in your project, you can prevent the problem:
#config/initializers/fix_hobo_model_controller.rb module FixHoboModelController #lib/hobo/model_controller.rb def hobo_create(*args, &b) options = args.extract_options! attributes = options[:attributes] || attribute_parameters || {} if self.this ||= args.first this.user_update_attributes(current_user, attributes) else self.this = new_for_create(attributes) # this.save #Original Line this.with_acting_user(current_user) {this.save} #SUGGESTED FIX end create_response(:new, options, &b) end end module ActionController class Base def self.hobo_model_controller(model=nil) @model = model include Hobo::ModelController include FixHoboModelController end end end
This problem is submitted as Ticket #880
One can bypass the authentication and post unwanted data using command line 'curl' to your website.
I discovered the problem executing the functional test below:
require File.dirname(__FILE__) + '/../test_helper' #See # https://github.com/thoughtbot/shoulda # http://guides.rubyonrails.org/testing.html#functional-tests-for-your-controllers # GET /items #=> index # GET /items/1 #=> show # GET /items/new #=> new # GET /items/1/edit #=> edit # PUT /items/1 #=> update # POST /items #=> create # DELETE /items/1 #=> destroy class OrganizationsControllerTest < ActionController::TestCase context "Security: " do setup { @organization = Factory(:organization) @attrs = Factory.attributes_for(:organization) } context "Guest" do #setup {login_as somebody} context "(read_actions)" do should "get index" do get :index assert_response :success end should "get show" do get :show, :id=>@organization.id assert_response :success end end context "(edit actions)" do should "not get new" do get :new assert_response :success assert_no_tag :tag=>'form' end should "not get edit" do get :edit, :id=>@organization.id assert_response :success assert_no_tag :tag=>'form' end end context "(write_actions)" do should "not post create" do count1 = Organization.count post :create, :organization => @attrs count2 = Organization.count assert_equal count1, count2, "Nothing created" assert_response :forbidden end should "not put update" do put :update, :id=>@organization.id, :organization => @attrs assert_response :forbidden end should "not delete" do delete :destroy, :id=>@organization.id assert_response :forbidden end end end end end
againist the model:
class Organization < ActiveRecord::Base hobo_model # Don't put anything above this fields do name :string, :required, :unique, :null=>false, :index=>true timestamps end #index [:name], :unique=>true # --- Permissions --- # def create_permitted? # puts "create_permitted? #{acting_user.administrator?}" acting_user.administrator? end def update_permitted? acting_user.administrator? end def destroy_permitted? acting_user.administrator? end def view_permitted?(field) true end end
My advice is to have context "Security: " in the test above in all your functional tests to be aware of security problems. Hobo or not. This test is independent of Hobo.
If you like this page, please spread the word:
You can contact me if you have questions or corrections.