Overview
CVE-2007-5379 describes a dangerous XML handling flaw in Rails prior to 1.2.4 where Hash.from_xml delegates XML parsing to XmlSimple (XML::Simple) unsafely. Attackers could craft XML payloads with external entity references that, when parsed, caused information leakage from the server. This permitted remote actors and ActiveResource servers to determine whether files exist and to read arbitrary XML files, including sensitive data such as passwords stored in local files (examples cited include reading Pidgin's .purple/accounts.xml). The vulnerability is categorized as CWE-200: Information Exposure. In practice, an attacker could exfiltrate server-side data by injecting crafted XML into endpoints that deserialize XML without strict validation, making a formerly trusting deserialization path into a data leakage channel.
Affected Versions
Rails before 1.2.4
Code Fix Example
Ruby on Rails API Security Remediation
# Vulnerable pattern (causes XXE/unsafe XML deserialization)
# This relies on Hash.from_xml parsing untrusted input via XmlSimple
vuln_xml = params[:xml]
data = Hash.from_xml(vuln_xml)
# Fixed pattern (avoid Hash.from_xml on untrusted input; use a safe parser and explicit extraction)
require 'nokogiri'
def parse_safe_xml(xml)
# Parse with secure defaults; do not enable external entity expansion
doc = Nokogiri::XML(xml) do |config|
config.noent = false # do not substitute entities
config.dtdload = false # do not load external DTDs
config.dtdvalid = false # do not validate against external DTDs
end
# Explicitly extract only what you need, avoiding generic deserialization
{
'root' => {
'data' => doc.at_xpath('//root/data')&.text
}
}
end
parse_safe_xml(vuln_xml)