Danger, danger: High Voltage vulnerability

Mike Burns

Version 1.2.0 of high_voltage is a security fix. Please upgrade.

Description

The high_voltage static page gem prior to version 1.2.0 allows attackers to cause the Rails app to render arbitrary files as if they are Erb. The attacker can trigger this local file inclusion (LFI) through the use of URL-encoded Unicode characters, which bypass the Ruby [Path#cleanpath](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/pathname/rdoc/Pathname.html#method-i-cleanpath) method.

Solution

Upgrade to version 1.2.0 of high_voltage:

bundle update high_voltage

Workaround

If you cannot upgrade easily you can instead subclass HighVoltage::PagesController to override the current_page method and remove invalid characters manually. More details on overriding can be found in the high_voltage documentation.

Acknowledgements

Thanks to Jefferson Venerando for bringing the Unicode exploit to our attention.

author image
Mike Burns
hound

Hound automatically reviews Ruby, JavaScript, CoffeeScript, and SCSS code in your GitHub pull requests and comments on style violations. It is free for open source repos and $12/month per private repo.