A possible input validation circumvention vulnerability in Active Model was reported. Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. External References: https://groups.google.com/forum/#!msg/rubyonrails-security/6jQVC1geukQ/8oYETcxbFQAJ http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-all [bug 1301979]
Created rubygem-activemodel tracking bugs for this issue: Affects: fedora-all [bug 1301977]
Upstream commit: 4.1 https://github.com/rails/rails/commit/50d3d7d01123fa9e08fcce5985fd6e8c24ba57ab 4.2 https://github.com/rails/rails/commit/e3ceb28e66ca6e869f8f9778dc42672f48001a90
Analysis: Several class attributes, including validation related, of Active Model models were writable from instances. Attacker with ability to pass arbitrary attributes to Active Model instances could use this to bypass validation. Impacted code: ```ruby SomeModel.new(unverified_user_input) ``` Mitigation: Do not allow arbitrary attributes to be passed to models. In Rails with Strong Parameters, make sure to not call permit! method, which bypasses strong parameters protections. Outside of rails, use whitelisting to filter only allowed attributes before passing them to models.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:0296 https://rhn.redhat.com/errata/RHSA-2016-0296.html
rubygem-activerecord-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-4.2.0-3.fc22, rubygem-activemodel-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-activesupport-4.2.0-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-activerecord-4.2.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-activemodel-4.2.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.