Hitting a bit of a brick wall here. I'm trying to send a string containing line breaks (\n, turned to \u000a by JSON.stringify) as part of a JSON object over to a Rails app:
{"bob":{"id":46,"notes":"foo\u000abar\u000abaz"}}
This goes over the wire as this, with \u000a escaped as %5Cu000a:
http://localhost/bobs/46?draft=true&%7B%22bob%22%3A%7B%22id%22%3A46%2C%22notes%22%3A%22foo%5Cu000abar%5Cu000abaz%22%7D%7D=
But the second the request hits Rubyland, the newlines disappear in a puff of ether, turning into spaces:
Processing Api::BobsController#update (for 127.0.0.1 at 2011-05-19 11:01:43) [PUT]
Parameters: {"draft"=>"true", "action"=>"update", "id"=>"46", "controller"=>"api/bobs", "bob"=>{"notes"=>"foo bar baz", "id"=>46}
And it's not just some logging artifact, but they're going into the database that way as well:
ree-1.8.7-2010.02 > Bob.find_by_id(46)
=> #<Bob id: 46, notes: "foo bar baz"...>
If I send eg. "\\n" instead of "\n", they come through fine:
Processing Api::BobsController#update (for 127.0.0.1 at 2011-05-19 11:01:43) [PUT]
Parameters: {"draft"=>"true", "action"=>"update", "id"=>"46", "controller"=>"api/bobs", "bob"=>{"notes"=>"foo\\nbar\\nbaz", "id"=>46}
What's going on, and why?
Update: A colleague vaguely recalls hearing that Passenger has been suspected of dropping some special chars, but he can't find a reference to back this up, and neither can I...?
This could be nothing, but aren't PUT methods meant to be POST'ed in RESTful Rails? GET-ing any URL should be repeatable w/o any change to the database.
If you changed your AJAX call to post you could also indicate proper content-type of application/json so Rails knows how to handle it.
Related
I'm trying to resolve a complicated form post in json format from the shopify CreateOrder webhook
To simplify testing and coding I wanted to recreate the post from the parameters = in the server. Output so that I don't have to create a cart each test cycle
This is an example from my log file:
Started POST "/shopify?id=123456&shopifyaction=OC&incomingpipe=6" for xxx.xxx.xxx.xxx at 2021-03-09 14:24:22 +0000
Processing by ShopifyWebhooksController#shopify_webhook as TEXT
Parameters: {"A1984"=>"1", "A9873"=>"5", "A1674"=>"2", "A8724"=>"1", "A3574"=>"3", "A1165"=>"5", "wbid"=>"162", "shopifyaction"=>"OC", "incomingpipe"=>"6"}
[WB] Shopify Post Verified
I wanted to grab the parameters hash in this and post it from an ajax or controller but I'm going round and round in circles as I try to convert this to coffee script / or a json or anything to parse it into a form, manly because the actually real post from shopify is a horrendous confusion of madness. and even with a good text editor find replace I'm throwing errors everywhere just to get jQuery to read it
Is there a simple obvious process for doing this in the controller that I'm missing?
For anybody looking for a good solution to this,
Yaro's fab Gem REPOST solves all the hassles
https://github.com/vergilet/repost
I'm having an odd problem with Ruby on Rails globbing. My route looks like this:
get 'people/info_from_url/*url', to: 'people#info_from_url'
So from the frontend, I have get requests to URLs like:
my-api.com/people/info_from_url/youtube.com/XXX
my-api.com/people/info_from_url/twitter.com/XXX
my-api.com/people/info_from_url/tinyurl.com/XXX
...
These all work as expected - I get a parameter in the people#info_from_url controller action called url that contains the full URL that was sent.
However, for one particular kind of URL (XXX.carrd.co), the last part gets cut off. In the frontend, I send a get request to my-api.com/people/info_from_url/XXX.carrd.co. From the backend logs:
INFO -- : Started GET "/people/info_from_url/XXX.carrd.co/"
INFO -- : Processing by PeopleController#info_from_url as
INFO -- : Parameters: {"url"=>"XXX.carrd"}
Somewhere, the .co gets dropped. I'm not sure why this could be happening or how to debug it, since the change happens before I'm able to access the params hash. I could deal with this manually by just checking if it's a carrd link, but I'd like to know why it's happening and if any other kind of link might experience this issue. Thanks for any help!
Routes have an implicit optional (.:format) segment at the end. You can use this option to prevent that:
get 'people/info_from_url/*url', to: 'people#info_from_url', format: false
EDIT: you can check the last part here in the docs explaining that too https://guides.rubyonrails.org/routing.html#route-globbing-and-wildcard-segments
I'm trying to pass a URL as a param to my Rails app:
Started DELETE "/images/0?s3_filepath=https://s3.amazonaws.com/buildinprogresstest/uploads/blllbyq5k3qinl4l/uploads_2F9qggxxf5dvlsor-667601c8f38d8d41af07828accbf3147_2F2014-07-13%252B18.44.29.jpg" for 127.0.0.1 at 2016-08-31 11:52:09 -0400
The s3_filepath is not being properly parsed in the params:
Parameters: {"s3_filepath"=>"https://s3.amazonaws.com/buildinprogresstest/uploads/blllbyq5k3qinl4l/uploads_2F9qggxxf5dvlsor-667601c8f38d8d41af07828accbf3147_2F2014-07-13%2B18.44.29.jpg", "id"=>"0"}
If you look closely, the filename includes the sequence "252B18" but the params seems to remove the numbers "52"
I'm at a loss as to why this is happening. Any ideas?
Normally parameters are url-encoded and decoded on rails side. %25 is decoded to %, that's why it is removed from your input. You need to properly encode this url.
In Ruby you can use CGI.escape
CGI.escape "https://s3.amazonaws.com/buildinprogresstest/uploads/blllbyq5k3qinl4l/uploads_2F9qggxxf5dvlsor-667601c8f38d8d41af07828accbf3147_2F2014-07-13%252B18.44.29.jpg"
=> "https%3A%2F%2Fs3.amazonaws.com%2Fbuildinprogresstest%2Fuploads%2Fblllbyq5k3qinl4l%2Fuploads_2F9qggxxf5dvlsor-667601c8f38d8d41af07828accbf3147_2F2014-07-13%25252B18.44.29.jpg"
If you send this request via javascript you can use escape function in javascript
escape("https%3A%2F%2Fs3.amazonaws.com%2Fbuildinprogresstest%2Fuploads%2Fblllbyq5k3qinl4l%2Fuploads_2F9qggxxf5dvlsor-667601c8f38d8d41af07828accbf3147_2F2014-07-13%25252B18.44.29.jpg")
I have a Rails/Ember one-page app. Burp reports that
The value of the 'content_type' JSON parameter is copied into the HTML
document as plain text between tags. The payload
da80balert(1)4f31e was submitted in the content_type
JSON parameter. This input was echoed unmodified in the application's
response.
I can't quite parse this message referring to "is copied into" and "was submitted" in, but basically what is happening is:
A PUT or POST from the client contains ...<script>...</script>... in some field.
The server handles this request, and sends back the created object in JSON format, which includes the string in question
The client then displays that string, using the standard Embers/Handlebars {{content_type}}, which HTML-escapes the string and inserts it into the DOM, so the browser displays it on the screen as originally entered (and of course does NOT execute it).
So yes, the input was indeed echoed unmodified in the application's response. However, the application's response was not HTML, in which case there would indeed be a problem, but JSON, containing strings which when referred to by Handlebars will always be escaped properly for proper display in the browser.
So my question is, is this in fact a vulnerability? I have taken great care with my Ember app and can prove that no data from JSON objects is ever inserted "raw" into the DOM. Or is this a false positive given rise to by the mere fact the unescaped string may be found in the response if looked for using an unintelligent string comparison, not taking into account the fact that the JSON will be processed/escaped by the client-side framework?
To put it a different way, in a classic webapp spitting out HTML from the server, we know that user input such as the above must be escaped/sanitized properly. Unsanitized data "on the wire" in and of itself represents a vulnerability. However, in a one-page app based on JSON coming back from the server, the escaping/sanitization occurs in the client; the JSON on the "wire" may contain unsanitized data, and this is as expected. Am I missing something here?
There are subtle ways in which you can trick IE9 and older into treating JSON as HTML. So even if the server's response has a Content-Type header of application/json, IE will second guess it. This is called content type sniffing, and can be disabled by adding the X-Content-Type-Options: nosniff header.
JSON is not an executable format so your understanding is correct.
I did a demo of this exact problem in my talk on securing single page web apps at OWASP AppSec EU 2013 which someone put up on youtube here: http://m.youtube.com/watch?v=Femsrx0m9bU
Our app provides an API that people can use to submit URLs like this:
curl -X POST http://app.local/resource -d'url=http://news.google.com/newshl=en&q=obama&um=1&ie=UTF-8&output=rss'
Unfortunately, it seems that Rails messes up with this param. Any idea on how to fix this?
See the log below :
Processing ApplicationController#index (for 127.0.0.1 at 2010-06-08 19:03:09) [POST]
Parameters: {"um"=>"1", "url"=>"http://news.google.com/newshl=en", "output"=>"rss", "q"=>"obama", "ie"=>"UTF-8"}
I would expect the following :
Parameters: {"url"=>"hhttp://news.google.com/newshl=en&q=obama&um=1&ie=UTF-8&output=rss"}
What exactly Rails messes up?
If you are referring to the fact that it didn't get complete Google URL (i.e. separated it to output, q and other params) that's because you need to encode '&' character if you want to use it as a part of a value. Something like:
curl -X POST http://app.local/resource -d'url=http://news.google.com/newshl=en%26q=obama%26um=1%26ie=UTF-8%26output=rss'