XSS Vulnerability in ActiveSupport::JSON.encode

Metadata

medium
4.3
activesupport
CVE-2015-3226
groups.google.com
2015-06-16
2017-06-16 19:14
CVE-2015-3226 ruby-activesupport-2.3
CVE-2015-3226 ruby-activesupport-3.2
CVE-2015-3226 rails
CVE-2015-3226
2017-04-01 19:10
2017-01-05 20:15

Description

When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

For example, the following code snippet is vulnerable to this attack:

<%= javascript_tag "var data = #{user_supplied_data.to_json};" %>

Similarly, the following is also vulnerable:



All applications that renders JSON-encoded strings that contains user-controlled
data in their views should either upgrade to one of the FIXED versions or use
the suggested workaround immediately.

Workarounds
-----------
To work around this problem add an initializer with the following code:

module ActiveSupport
module JSON
module Encoding
private
class EscapedString
def to_s
self
end
end
end
end
end

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
activesupport >= 4.2.2,~> 4.1.11 < 4.1.0