Nixpkgs security tracker
Untriaged
Rails Active Storage has possible glob injection in its DiskService
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
References
-
https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m x_refsource_CONFIRM
-
https://github.com/rails/rails/releases/tag/v7.2.3.1 x_refsource_MISC
-
https://github.com/rails/rails/releases/tag/v8.0.4.1 x_refsource_MISC
-
https://github.com/rails/rails/releases/tag/v8.1.2.1 x_refsource_MISC
Affected products
activestorage
- ==>= 8.1.0.beta1, < 8.1.2.1
- ==< 7.2.3.1
- ==>= 8.0.0.beta1, < 8.0.4.1
Matching in nixpkgs
pkgs.rubyPackages.activestorage
None
pkgs.rubyPackages_3_1.activestorage
None
pkgs.rubyPackages_3_2.activestorage
None
pkgs.rubyPackages_3_3.activestorage
None
pkgs.rubyPackages_3_4.activestorage
None