NEW
Notice something different? Meet the new Solidus brand!

Information disclosure vulnerability through Ransack searches

JH

John Hawthorn

19 Aug 2015 - 3 mins read

Cover image of Information disclosure vulnerability through Ransack searches post

We've released Solidus 1.0.1 to address a major security vulnerability.

Versions Affected

  • Solidus 1.0.0, All versions of Spree

Fixed Versions

  • Solidus 1.0.1

We've discovered another major security vulnerability in Solidus/Spree. All stores are advised to upgrade immediately. A huge thanks to Jeff Dutil for working with us once again in making a coordinated release of Spree along with Solidus.

Impact

Through specially crafted search params, an attacker is able to bypass authorization checks and determine the contents of database records. This may be used to expose customer details, admin API keys, and other sentitive information. This vulnerability exposes itself through the API (a key is not required), frontend, and backend.

Workarounds

This initialiser disallows Ransack to search across associations by default It is less complete than the patches which also add whitelisting of attributes.

# config/initializers/security_20150817.rb
#
# This is a less complete solution than the new releases of Solidus and Spree,
# which also change searchable attributes to a whitelist.  It is designed to
# apply without issue to as many stores as possible (at least to Spree 2.1,
# 2.2, 2.3, 2.4, 3.0, and Solidus).
#
# Custom Ransack searches in your store may have to be added to this list.

Rails.application.config.to_prepare do
  raise "Spree.user_class must be defined first" unless Spree.user_class

  whitelisted_associations = {
    # Revoke the ability to search across associations via ransack
    ActiveRecord::Base => [],

    # Put back the ability to search across associations that we know are used
    Spree::LineItem => ['variant'],
    Spree::Order => ['shipments', 'user', 'promotions', 'bill_address', 'ship_address', 'line_items', 'inventory_units'],
    Spree::Product => ['stores', 'variants_including_master', 'master', 'variants'],
    Spree::Promotion => ['codes'],
    Spree::Variant => ['option_values', 'product', 'prices', 'default_price'],

    Spree.user_class => ['bill_address', 'ship_address']
  }

  whitelisted_associations.each do |klazz, associations|
    klazz.define_singleton_method(:ransackable_associations) { |auth_object=nil| associations }
  end
end

NB. This provides a whitelist for all associations used by stock Solidus/Spree. If you have any custom ransack searches, you may need to add them to the whitelist.

Credits

Discovered by Andrew Thal of Bonobos