Skip to content

Fix RCE in custom-field i18n rendering and add end-to-end regression coverage#1129

Merged
texpert merged 3 commits into
masterfrom
fix-rce-in-custom-field-i18n-rendering
Mar 16, 2026
Merged

Fix RCE in custom-field i18n rendering and add end-to-end regression coverage#1129
texpert merged 3 commits into
masterfrom
fix-rce-in-custom-field-i18n-rendering

Conversation

@texpert

@texpert texpert commented Mar 15, 2026

Copy link
Copy Markdown
Collaborator

A Remote Code Execution risk existed in cama_print_i18n_value (app/helpers/camaleon_cms/html_helper.rb) because user-controlled strings like t(...) were evaluated dynamically.
This PR removes dynamic evaluation, strictly validates translation expressions, and adds layered regression coverage (helper, decorator, view partial, request, and browser flow).

What changed

Security fix

  • Replaced eval-based translation handling in app/helpers/camaleon_cms/html_helper.rb.
  • cama_print_i18n_value now:
    • accepts only strings shaped like t(...)
    • safely extracts the inner key
    • supports quoted keys (including extra whitespace around quoted keys)
    • validates key charset with strict allowlist ([a-zA-Z0-9_.-]+)
    • returns original input unchanged for malformed/malicious payloads
    • never executes arbitrary Ruby code

Association correctness for custom field relationships

  • Updated app/models/concerns/camaleon_cms/custom_fields_read.rb to use relationship-level singular association:
    • field_value.custom_fields -> field_value.custom_field
    • eager_load(:custom_fields) -> eager_load(:custom_field)
  • Made association explicit in app/models/camaleon_cms/custom_fields_relationship.rb:
    • belongs_to :custom_field, class_name: 'CamaleonCms::CustomField', required: false

Test architecture and coverage

  • Added shared matrix and shared examples:
    • spec/shared_specs/i18n_value_translation_safety.rb
    • includes safe, quoted-safe, malformed, and malicious payload cases
  • Refactored helper/decorator tests to reuse shared safety examples:
    • spec/helpers/html_helper_spec.rb
    • spec/decorators/custom_field_decorator_spec.rb
  • Added/updated rendering-path regressions:
    • spec/views/camaleon_cms/default_theme/partials/render_custom_field_spec.rb
    • spec/requests/frontend/custom_fields_translation_spec.rb (thin non-browser check)
    • spec/features/frontend/custom_fields_translation_safe_spec.rb
    • spec/features/frontend/custom_fields_translation_malicious_spec.rb
  • Added isolated template for browser-flow specs:
    • spec/dummy/app/apps/themes/default/views/post_types/rce_secure_fields/single.html.erb
  • spec/dummy/app/apps/themes/default/views/post.html.erb only has newline normalization (no behavior change).

Repo instructions update

  • .github/copilot-instructions.md updated to require explicit user confirmation before proceeding with “Further Considerations”.

@texpert texpert self-assigned this Mar 16, 2026
@texpert texpert merged commit 1005d44 into master Mar 16, 2026
@texpert texpert deleted the fix-rce-in-custom-field-i18n-rendering branch March 22, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@owen2345 owen2345 owen2345 approved these changes

@brian-kephart brian-kephart Awaiting requested review from brian-kephart

Assignees

@texpert texpert

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@texpert @owen2345