joss icon indicating copy to clipboard operation
joss copied to clipboard
verified publisher icon openjournals

Use render html: instead of render inline:

Open cantino opened this issue 5 years ago • 4 comments

By using render inline: here you may be introducing a RCE since it will evaluate ERB. https://github.com/openjournals/joss/blob/12d765b4f72f519e9f57885db01aa6721ffda9f1/app/controllers/papers_controller.rb#L301

cantino avatar Apr 23 '20 01:04 cantino

Tried this in https://github.com/openjournals/joss/commit/c468a0ecfe06215975cf60e1bc25eafdc1c0cce2 but it didn't seem to work... (i.e. the SVGs didn't render)

Any suggestions @cantino?

arfon avatar Jun 04 '20 13:06 arfon

You may have to set a content type too, maybe?

cantino avatar Jun 08 '20 21:06 cantino

You may have to set a content type too, maybe?

Thanks for checking in. That didn't seem to work either. I could get it to work with:

render html: svg.html_safe, layout: false, content_type: 'image/svg+xml'

but is that any safer? I'm not a security expert but perhaps this isn't a huge risk, especially as we're not passing params to the render?

arfon avatar Jun 09 '20 00:06 arfon

I think that is still safer, as I don't think render html: will evaluate ERB, so I'd suggest you make that change.

cantino avatar Jun 09 '20 15:06 cantino