New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web cache poisoning - semicolon as a separator #1732
Comments
Allowing ; as separator by default can lead to web cache poisoning. Fixes rack#1732
Developers can already specify a separator when parsing queries directly (second argument to @tenderlove is this change likely to affect Rails? |
Ya, I totally agree we should switch the default. I don't think it will impact Rails, but I'm sure this will impact someone. Should we consider making this change in a major release? |
Allowing ; as separator by default can lead to web cache poisoning. Fixes rack#1732
Allowing ; as separator by default can lead to web cache poisoning. Fixes #1732
Snyk keeps regularly reminding me that |
hi @jamgregory I patched this in my own Rails application by adding this into module Rack
class Request
Helpers.module_eval do
def GET
if get_header(RACK_REQUEST_QUERY_STRING) == query_string
get_header(RACK_REQUEST_QUERY_HASH)
else
query_hash = parse_query(query_string, '&')
set_header(RACK_REQUEST_QUERY_STRING, query_string)
set_header(RACK_REQUEST_QUERY_HASH, query_hash)
end
end
end
end
end |
Thanks for that @causztic, we might look at using it. Obviously it'd be ideal to get a |
Allowing ; as separator by default can lead to web cache poisoning. Fixes rack#1732
Allowing ; as separator by default can lead to web cache poisoning. Fixes rack#1732
Seems like the answer is no, but just to confirm, should we ever expect a fix for this on Rack 2? My project uses Sinatra which is pegged to Rack 2 so I'm getting dinged on this by Snyk. I assume we'll just need to wait for Sinatra to support Rack 3 👀 |
Correct, this is considered too breaking to backport to Rack 2. |
Have we ever actually seen an attack in the wild? i.e. is this a little bit of a false flag? |
Is this incompatibility really necessary? I understand the problem as follows:
My question here is: is 1 true? I looked for information on NGINX and Varnish and couldn't find any mention of ignoring For NGINX, I found the following example configuration. https://gist.github.com/a-vasyliev/de8ffc6c6aa74cdeadfe This manually removes For Varnish, I found the following discussion. https://serverfault.com/questions/591860/ignore-utm-values-with-varnish This response says:
This indicates that it is (possible but) never easy to configure Varnish to ignore So, I think this is an unnecessary incompatibility introduced against a problem that in reality rarely exists or is the configuration bug of a reverse proxy. What do you think? @AdamGold @jeremyevans @tenderlove |
@mame Treating semicolon as separator is certainly incorrect behavior in terms of parameter handling (see decoding part of https://www.w3.org/TR/2014/REC-html5-20141028/forms.html#url-encoded-form-data). Because fixing Rack to only split on ampersand is incompatible, we did not backport the fix to Rack 2. However, we should certainly keep the fix in Rack 3. |
@jeremyevans Thanks for your quick reply. Interestingly, https://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2
If the change is not for security reasons, but to comply with the new specification, I understand your decision. IHMO, the incompatibility is too big just for that purpose, though. I hope that the W3C be cautious about unnecessarily changing what it has recommended in the past... |
The
request.rb
file treats semicolon as a separator (6af5f92) - whereas most proxies today only take ampersands as separators. Link to a blog post explaining this vulnerability: https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter - such as
utm_*
parameters, which are usually unkeyed. Let’s take the following example of a malicious request:The backend sees 3 parameters here:
link
,utm_content
and thenlink
again. On the other hand, the proxy considers this full string:1;link='><t>alert(1)</script>
as the value ofutm_content
, which is why the cache key would only containsomesite.com/?link=http://google.com
.A possible solution could be to allow developers to specify a separator, defaulting to an ampersand.
The text was updated successfully, but these errors were encountered: