Paperclip gem SSRF (Server side request forgery)

Description
  • The Paperclip gem provides easy file attachment management for ActiveRecord. The Paperclip library has a concept of 'IO adapters' that provide multiple ways a 'file' can be passed to the Paperclip library.

    The vulnerability affects two of Paperclip's IO adapters that accept URLs as attachment data:
    • lib/paperclip/io_adapters/http_url_proxy_adapter.rb
    • lib/paperclip/io_adapters/uri_adapter.rb

    When these adapters are used, Paperclip acts as a proxy and downloads the file from the website URI that is passed in.

    The 'http_url_proxy_adapter.rb' is invoked if the provided file/attachment data starts with 'http://' or 'https://'. This behavior is not currently documented by Paperclip and the library does not perform any validation to protect against Server Side Request Forgery (SSRF) exploits.

    SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References for more information about this problem.
Remediation
  • You should update your Paperclip gem to version 5.2.0 to fix this vulnerability.
References