Backo Backo - 6 months ago 20
Ruby Question

Is it safe to accept URL parameters for populating the `url_for` method?

I am using Ruby on Rails 4.1.1 and I am thinking to accept parameters (through URL query strings) that are passed directly to the

url_for
method, this way:

# URL in the browser
http://www.myapp.com?redirect_to[controller]=users&redirect_to[action]=show&redirect_to[id]=1

# Controller
...
redirect_to url_for(params[:redirect_to].merge(:only_path => true))


Adopting the above approach users can be redirected after performing an action. However, I think people can enter arbitrary
params
that can lead to security issues...

Is it safe to accept URL parameters for populating the
url_for
method? What are pitfalls? What can happen in the worst case?




By logging
params
during requests to my application I noted Rails adds always
:controller
and
action
parameters. Maybe that confirms
url_for
can be used the above way since it is protected internally and works as-like Rails is intended to.

Answer

This it is safe internally as Ruby On Rails will only be issuing a HTTP redirect response.

As you are using only_path this will protect you from an Open redirect vulnerability. This is where an email is sent by an attacker containing a link in the following format (say your site is example.com).

https://example.com?foo=bar&bar=foo&redirect=http://evil.com

As the user checks the URL and sees it is on the example.com domain they beleive it is safe so click the link. However, if there's an open redirect then the user ends up on evil.com which could ask for their example.com password without the user noticing.

Redirecting to a relative path only on your site fixes any vulnerability.

In your case you are giving users control of your controller, action and parameters. As long as your GET methods are safe (i.e. no side-effects), an attacker could not use this by creating a crafted link that the user opens.

In summary, from the information provided I don't see any risk from phishing URLs to your application.

Comments