Even though this vulnerability was announced on July 17th, I just happened to stumble on a tweet about it.
The important bit to look at in the source is this
diff --git a/api/lib/spree/api/responders/rabl_template.rb b/api/lib/spree/api/responders/rabl_template.rb
index 4a061f4..0b0d31c 100644
--- a/api/lib/spree/api/responders/rabl_template.rb
+++ b/api/lib/spree/api/responders/rabl_template.rb
@@ -14,7 +14,7 @@ module Spree
end
def template
- request.headers['X-Spree-Template'] || controller.params[:template] || options[:default_template]
+ options[:default_template]
end
So, it makes sense that any template can be asked for either via the X-Spree-Template header or template param.
I wanted to verify this, and spun up a copy of Spree I had on my disk, and toyed a bit with a spec, asking for the README.md file in the Spree app repo and comparing the request body to an empty string. Guess what? The request body contains the README text.
A savvy attacker only needs to ask for config/database.yml and or spelunk through the initializers folder for people following bad-practices and commiting API-keys to disk, rather than loading them via env vars.
Well, hope that clears it up!