Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3580511 by ksw9722
ActiveStorage's DiskService#path_for does not validate or sanitize blob keys before constructing file paths. Combined with the Hash attachable interface — which passes user-supplied key: values directly to Blob.build_after_unfurling without filtering — an attacker who can influence the Hash passed to .attach() can achieve arbitrary file write, read, and delete on the server's filesystem.
The key: parameter is a documented feature intended for S3 folder organization, making it likely that developers will incorporate user input into key construction.
Severity: High (CVSS 8.1 estimated — depends on application-level exposure)
Affected component: activestorage (DiskService)
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In