Dynamic Render Path RCE

What does this mean ?

The dynamic render path leads to a potential remote code execution.

What can happen ?

An attacker with successful exploitation to the render method may have the ability to execute arbitrary malicious code on the application.

Recommendation

Care should be taken when using user input to determine which view to render. If possible, avoid any user input in the name or path to the view.

Sample Code

Ruby

Vulnerable :

def index
    render params[:id]
end

Non Vulnerable :

def index
    render verify_template(params[:id])
end

private
def verify_template(name)
    # add verification logic
end

References

• https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#dynamic-render-paths