Multiple security vulnerabilities in Rails

I&#x27;ve grouped the patches for 4.1 and 4.2 here: <a href="https:&#x2F;&#x2F;drive.google.com&#x2F;file&#x2F;d&#x2F;0BwnrE2iUdypUMkpqWVVPTXNzNVU&#x2F;view" rel="nofollow">https:&#x2F;&#x2F;drive.google.com&#x2F;file&#x2F;d&#x2F;0BwnrE2iUdypUMkpqWVVPTXNzNVU...</a> -- because download one by one is boring. Don&#x27;t trust me, verify each file before patching. Some comments:<p>[CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack: Look for routes that contain &quot;:controller&quot; and change it to something else. Hopefully you didn&#x27;t have this weird name in your routes.<p>[CVE-2015-7578&#x2F;79] Possible XSS vulnerability in rails-html-sanitizer: You&#x27;re safe if you use a single page application that properly encode for you. Stripping tags isn&#x27;t the best way anyway to filter XSS, so if you&#x27;re encoding, you&#x27;re good.<p>[CVE-2016-0753] Possible Input Validation Circumvention in Active Model: params.permit! is negligence, you should not be doing that anyway<p>[CVE-2016-0752] Possible Information Leak Vulnerability in Action View: render params[:id] is not defensive programming, so you should not be doing that too<p>[CVE-2015-7577] Nested attributes rejection proc bypass in Active Record: Only if using nested_attributes and rejection proc. Wasn&#x27;t my case. Just patch.<p>[CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack: DoS is bad, just patch.<p>[CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller: Just patch.<p>-- Doesn&#x27;t look THAT bad, but need to be patched fast.

Doesn&#x27;t look <i>too</i> bad, although there are a lot of CVEs to go through:<p>- A timing attack if you&#x27;re using HTTP basic auth<p>- A couple of GC related DoS attacks<p>- An issue with `accepts_nested_attributes_for` if you&#x27;re using both the `allow_destroy` and `reject_if` options<p>- A validation bypass exploit if you&#x27;re calling `SomeModel.new(params[:some_model])` instead of using StrongParams<p>- An information leak exploit if you&#x27;re calling `render params[:something]` with raw user input<p>- A bunch of potential XSS exploits<p>The `render` issue looks like it could cause the most harm, but hopefully shouldn&#x27;t be too prevalent. The XSS issues should be a quick fix as you only have to update `rails-html-sanitizer`, not Rails itself.

I see a timing attack in the list. It&#x27;s fairly trivial to mitigate against this in the majority of languages nowadays [1] [2] [3] etc..<p>I presume this can also be mitigated by implementing rate limiting on your authentication endpoints, although that should also be implemented for other reasons.<p>[1] <a href="https:&#x2F;&#x2F;golang.org&#x2F;pkg&#x2F;crypto&#x2F;subtle&#x2F;#ConstantTimeCompare" rel="nofollow">https:&#x2F;&#x2F;golang.org&#x2F;pkg&#x2F;crypto&#x2F;subtle&#x2F;#ConstantTimeCompare</a><p>[2] <a href="http:&#x2F;&#x2F;php.net&#x2F;manual&#x2F;en&#x2F;function.hash-equals.php" rel="nofollow">http:&#x2F;&#x2F;php.net&#x2F;manual&#x2F;en&#x2F;function.hash-equals.php</a><p>[3] <a href="http:&#x2F;&#x2F;www.levigross.com&#x2F;2014&#x2F;02&#x2F;07&#x2F;constant-time-comparison-functions-in...-python-haskell-clojure-and-java&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.levigross.com&#x2F;2014&#x2F;02&#x2F;07&#x2F;constant-time-comparison...</a>

On one hand, I find that Rails often has security issues. On the other hand, perhaps it is just indicative of its popularity and interest. When a framework has no security issues, is it because there are none or is it just that no one can be bothered to look for some?

Aah Aaron. Thanks. Everywhere he codes he refactors, fixes performance issues, finds bugs, he&#x27;s so my hero.

A quick `bundle update` appears to be just the ticket:<p><pre><code> … Installing rails-html-sanitizer 1.0.3 (was 1.0.2) Installing actionmailer 4.2.5.1 (was 4.2.5) Installing activemodel 4.2.5.1 (was 4.2.5) Installing activerecord 4.2.5.1 (was 4.2.5) Installing railties 4.2.5.1 (was 4.2.5) Installing rails 4.2.5.1 (was 4.2.5) … Bundle updated!</code></pre>

CVE-2016-0752 is explained in more detail here: <a href="https:&#x2F;&#x2F;nvisium.com&#x2F;blog&#x2F;2016&#x2F;01&#x2F;26&#x2F;rails-dynamic-render-to-rce-cve-2016-0752&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nvisium.com&#x2F;blog&#x2F;2016&#x2F;01&#x2F;26&#x2F;rails-dynamic-render-to-...</a>

What was the name of that still-in-development OS that is going to mitigate against most forms of conventional attacks.<p>random quote: &#x27;I used to consume cannabis on a daily basis, I suffer no short term memory loss, as far as I can remember....&#x27;