Even though this vulnerability was announced on July 17th, I just happened to stumble on a tweet about it.
The important bit to look at in the source is this
diff --git a/api/lib/spree/api/responders/rabl_template.rb b/api/lib/spree/api/responders/rabl_template.rb index 4a061f4..0b0d31c 100644 --- a/api/lib/spree/api/responders/rabl_template.rb +++ b/api/lib/spree/api/responders/rabl_template.rb @@ -14,7 +14,7 @@ module Spree end def template - request.headers['X-Spree-Template'] || controller.params[:template] || options[:default_template] + options[:default_template] end
So, it makes sense that any template can be asked for either via the
X-Spree-Template header or
I wanted to verify this, and spun up a copy of Spree I had on my disk, and toyed a bit with a spec, asking for the
README.md file in the Spree app repo and comparing the request body to an empty string. Guess what? The request body contains the README text.
A savvy attacker only needs to ask for
config/database.yml and or spelunk through the initializers folder for people following bad-practices and commiting API-keys to disk, rather than loading them via env vars.
Well, hope that clears it up!