Code execution (hook loading hardening)
Description
The commit adds guard_load_hooks in ActionPack Railties to guard/whitelist the loading of hooks for ActionController and ActionDispatch. This hardening mitigates potential code execution paths via user-controlled or misconfigured load hooks during Rails initialization. By restricting which hooks can be loaded (and likely when), it reduces the risk that arbitrary code could be executed at boot or during initialization from external components. The fix appears to be a defensive measure to prevent abuse of Rails' hook-loading mechanism, rather than a fix for a widely-known external vulnerability; its impact depends on whether untrusted code can register or inject load hooks that Rails would execute during startup.
Proof of Concept
Illustrative safe PoC (not executable against a live Rails app): This PoC demonstrates the vulnerability concept in a controlled, non-production environment. It shows how a hypothetical vulnerable hook loader could permit loading and execution of attacker-supplied hooks, and how guard_load_hooks would prevent that.
Assumptions for the illustration:
- A simplified HookLoader that discovers hooks from a directory and loads/executes them at initialization.
- The attacker can place a hook file in the directory with code that would run on load.
Vulnerable scenario (conceptual, not tied to Rails code):
# HookLoader (vulnerable)
# - reads all Ruby files under hooks/ and evaluates them at startup
# - no whitelist; any .rb file will be loaded
# Attacker drops hooks/hook.rb with arbitrary code execution on load
# e.g., # hooks/hook.rb | puts "ATTACK" | flag to demonstrate execution
Guarded scenario (the fix in this commit):
# Guarded HookLoader uses a whitelist of allowed hook modules/classes. Only files corresponding to whitelisted hooks are loaded.
# If attacker drops a file not on the whitelist, it is ignored and not executed.
# Example pseudocode:
# WHITELIST = ['ActionControllerBaseHook', 'ActionDispatchRequestHook']
# Dir.entries('hooks').select { |f| f.end_with?('.rb') && WHITELIST.include?(File.basename(f, '.rb')) }.each { |f| require "hooks/#{f}" }
Result: With guard_load_hooks in place, attacker-controlled hook files are ignored, preventing arbitrary code execution during initialization.
Commit Details
Author: Gannon McGibbon
Date: 2025-11-19 23:29 UTC
Message:
Guard Action Pack load hooks
Triage Assessment
Vulnerability Type: Code execution (security hardening)
Confidence: MEDIUM
Reasoning:
The commit adds guard_load_hooks in ActionPack Railties for various components, indicating a hardening measure to guard the loading of hooks. This addresses potential code execution paths triggered by user-controlled or misconfigured hooks, thus signaling a security-related fix (hardening against loading hooks that could be exploited). The message explicitly mentions guarding load hooks, which aligns with vulnerability mitigation rather than purely stylistic changes.
Verification Assessment
Vulnerability Type: Code execution (hook loading hardening)
Confidence: MEDIUM
Affected Versions: 8.1.x prior to 8.1.3 (i.e., 8.1.0 - 8.1.2)
Code Diff
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index fc4f3cbfbdba2..63acc557c476d 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -21,6 +21,8 @@ class Railtie < Rails::Railtie # :nodoc:
config.eager_load_namespaces << AbstractController
config.eager_load_namespaces << ActionController
+ guard_load_hooks(:action_controller, :action_controller_base, :action_controller_api, :action_controller_test_case)
+
initializer "action_controller.deprecator", before: :load_environment_config do |app|
app.deprecators[:action_controller] = ActionController.deprecator
end
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 8c4863f78a46f..f8a4d6c1aad59 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -50,6 +50,11 @@ class Railtie < Rails::Railtie # :nodoc:
config.eager_load_namespaces << ActionDispatch
+ guard_load_hooks(
+ :action_dispatch_request, :action_dispatch_response,
+ :action_dispatch_system_test_case, :action_dispatch_integration_test,
+ )
+
initializer "action_dispatch.deprecator", before: :load_environment_config do |app|
app.deprecators[:action_dispatch] = ActionDispatch.deprecator
end