Vulnerability fix: validate return_to param using request.host

[nicoayala]

Context

An internal team audits the Maxwell Rails apps occasionally, and in the last run, they discovered a vulnerability. Please take a look at the details bellow:

An arbitrary redirect vulnerability occurs when an application URL redirects users to a 3rd-party, attacker-controlled website. As users recognize the application URL, they are likely to interact with the link. This can be used for phishing attacks against application users.

The rails_admin gem allows a redirect URL to be specified as a GET parameter. The validation of this URL does not properly check the redirect’s host, allowing it to be used as an arbitrary redirect.

Solution

Validate the URL starts with the ~request.host~ request.base_url

[coveralls]

Changes unknown when pulling 4714eb66728000aa06d1d315eebb0edbc9b6b27c on himaxwell:3.x-validate-redirect-host into on railsadminteam:master.

[nicoayala]

The failing check is rubocop in:

Offenses:

lib/rails_admin/extensions/paper_trail/auditing_adapter.rb:149:28: C: [Correctable] Style/RedundantSelfAssignmentBranch: Remove the self-assignment branch.
          versions = all ? versions : versions.send(Kaminari.config.page_method_name, current_page).per(per_page)
                           ^^^^^^^^

444 files inspected, 1 offense detected, 1 offense autocorrectable
Error: Process completed with exit code 1.

Is this being addressed? Let me know how should I proceed

[mshibuya]

Merged in. Thank you for the fix!

[mshibuya]

The Rubocop failure was already addressed in the master: f06df8ff7f9890d7cf60fd4b724a4d92f55e94ab