RubySec

Providing security resources for the Ruby community

CVE-2015-3226 (activesupport): XSS Vulnerability in ActiveSupport::JSON.encode

ADVISORIES

GEM

activesupport

FRAMEWORK

Ruby on Rails

UNAFFECTED VERSIONS

  • < 4.1.0

PATCHED VERSIONS

  • >= 4.2.2
  • ~> 4.1.11

DESCRIPTION

When a Hash containing user-controlled data is encode as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

For example, the following code snippet is vulnerable to this attack:

&lt;%= javascript_tag &quot;var data = #{user_supplied_data.to_json};&quot; %&gt;

Similarly, the following is also vulnerable:

&lt;script&gt;
  var data = &lt;%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %&gt;;
&lt;/script&gt;

All applications that renders JSON-encoded strings that contains user-controlled data in their views should either upgrade to one of the FIXED versions or use the suggested workaround immediately.

Workarounds

To work around this problem add an initializer with the following code:

module ActiveSupport module JSON module Encoding private class EscapedString def to_s self end end end end end

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories