Spree Commerce

Try It Now

Security Fix for all Spree Versions

Posted on August 19, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a security vulnerability present in all versions of Spree 1.1.x+.

Through specially crafted search parameters, an attacker is able to bypass authorization checks and determine the contents of database records. This may be used to expose customer details, and other sensitive information. This vulnerability exposes itself through the API (a key is not required). All users are advised to patch or upgrade their stores immediately.

This is a non-backwards compatible upgrade if you use custom ransack searches, as we are changing the allowed ransack searches to be whitelisted.

If you have custom ransack search associations, and/or attributes you may whitelist them following this example in:

config/initializers/spree.rb

Spree::Product.whitelisted_ransackable_associations |= ['reservation']
Spree::Product.whitelisted_ransackable_attributes |= ['presale']

Workaround

This initializer changes the ransack’s default to not allowing searching across associations. It is less complete than the patches which also require attributes to be whitelisted.

# Any custom ransack searches in your store will have to be added to this list.
#
# config/initializers/security_20150817.rb
Rails.application.config.to_prepare do
  raise "Spree.user_class must be defined first" unless Spree.user_class
  whitelisted_associations = {
    # Revoke the ability to search across associations via ransack
    ActiveRecord::Base => [],
    # Put back the ability to search across associations that we know are used
    Spree::LineItem => ['variant'],
    Spree::Order => ['shipments', 'user', 'promotions', 'bill_address', 'ship_address', 'line_items', 'inventory_units'],
    Spree::Product => ['stores', 'variants_including_master', 'master', 'variants'],
    Spree::Promotion => ['codes'],
    Spree::Variant => ['option_values', 'product', 'prices', 'default_price'],
    Spree.user_class => ['bill_address', 'ship_address']
  }
  whitelisted_associations.each do |klazz, associations|
    klazz.define_singleton_method(:ransackable_associations) { |auth_object=nil| associations }
  end
end

Credit

Thanks to Andrew Thal from Bonobos for reporting the issue privately. This allowed us to verify the problem and prepare the necessary security patches for public release.

If you find any security issues please notify us privately via the security@spreecommerce.com email address.

Full Changes

To see a complete list of changes please view the compare pages: