接受URL参数填充"url_for"方法是否安全? [英] Is it safe to accept URL parameters for populating the `url_for` method?

问题描述

我正在使用Ruby on Rails 4.1.1，并且正在考虑接受(通过URL查询字符串)通过以下方式直接传递给url_for方法的参数:

I am using Ruby on Rails 4.1.1 and I am thinking to accept parameters (through URL query strings) that are passed directly to the url_for method, this way:

# URL in the browser
http://www.myapp.com?redirect_to[controller]=users&redirect_to[action]=show&redirect_to[id]=1

# Controller
...
redirect_to url_for(params[:redirect_to].merge(:only_path => true))

采用上述方法后，可以在执行操作后将用户重定向.但是，我认为人们可以输入任意params，这可能会导致安全问题...

Adopting the above approach users can be redirected after performing an action. However, I think people can enter arbitraryparams that can lead to security issues...

接受URL参数填充url_for方法是否安全?什么是陷阱?在最坏的情况下会发生什么?

Is it safe to accept URL parameters for populating the url_for method? What are pitfalls? What can happen in the worst case?

通过在对我的应用程序的请求期间记录params，我注意到Rails总是添加 :controller和action参数.也许可以确认url_for可以以上述方式使用，因为它在内部受到保护并且像Rails一样工作.

By logging params during requests to my application I noted Rails adds always :controller and action parameters. Maybe that confirms url_for can be used the above way since it is protected internally and works as-like Rails is intended to.

推荐答案

这在内部是安全的，因为Ruby On Rails仅会发布

This it is safe internally as Ruby On Rails will only be issuing a HTTP redirect response.

在使用only_path时，这将保护您免受打开重定向漏洞的影响.这是攻击者发送的电子邮件，其中包含以下格式的链接(例如，您的站点为example.com).

As you are using only_path this will protect you from an Open redirect vulnerability. This is where an email is sent by an attacker containing a link in the following format (say your site is example.com).

https://example.com?foo=bar&bar=foo&redirect=http://evil.com

当用户检查URL并发现它位于example.com域上时，他们相信它是安全的，因此请单击链接.但是，如果有一个开放的重定向，则用户最终进入evil.com，它可能会在不通知用户的情况下要求输入其example.com密码.

As the user checks the URL and sees it is on the example.com domain they beleive it is safe so click the link. However, if there's an open redirect then the user ends up on evil.com which could ask for their example.com password without the user noticing.

仅在您的网站上重定向到相对路径即可修复任何漏洞.

Redirecting to a relative path only on your site fixes any vulnerability.

在您的情况下，您是让用户控制您的控制器，操作和参数.只要您的GET方法安全(即没有副作用)，攻击者无法通过创建用户打开的特制链接来使用此功能.

In your case you are giving users control of your controller, action and parameters. As long as your GET methods are safe (i.e. no side-effects), an attacker could not use this by creating a crafted link that the user opens.

总而言之，从提供的信息来看，网络钓鱼URL到您的应用程序不会带来任何风险.

In summary, from the information provided I don't see any risk from phishing URLs to your application.

这篇关于接受URL参数填充"url_for"方法是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！