< Return to Blog

Dissecting The Latest Spree and Solidus API Security Vulnerability

Even though this vulnerability was announced on July 17th, I just happened to stumble on a tweet about it.

The important bit to look at in the source is this

diff --git a/api/lib/spree/api/responders/rabl_template.rb b/api/lib/spree/api/responders/rabl_template.rb
index 4a061f4..0b0d31c 100644
--- a/api/lib/spree/api/responders/rabl_template.rb
+++ b/api/lib/spree/api/responders/rabl_template.rb
@@ -14,7 +14,7 @@ module Spree

         def template
-          request.headers['X-Spree-Template'] || controller.params[:template] || options[:default_template]
+          options[:default_template]

So, it makes sense that any template can be asked for either via the X-Spree-Template header or template param.

I wanted to verify this, and spun up a copy of Spree I had on my disk, and toyed a bit with a spec, asking for the README.md file in the Spree app repo and comparing the request body to an empty string. Guess what? The request body contains the README text.

A savvy attacker only needs to ask for config/database.yml and or spelunk through the initializers folder for people following bad-practices and commiting API-keys to disk, rather than loading them via env vars.

Well, hope that clears it up!