XSS Vulnerability in ActiveSupport::JSON.encode There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2015-3226. Versions Affected: 3.0.x, 3.1.x, 3.2.x, 4.1.x, 4.2.x. Not affected: 4.0.x. Fixed Versions: 4.2.2, 4.1.11 Impact ------ When a `Hash` containing user-controlled data is encode as JSON (either through `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate escaping that matches the guarantee implied by the `escape_html_entities_in_json` option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks. For example, the following code snippet is vulnerable to this attack: <%= javascript_tag "var data = #{user_supplied_data.to_json};" %> Similarly, the following is also vulnerable: <script> var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>; </script> All applications that renders JSON-encoded strings that contains user-controlled data in their views should either upgrade to one of the FIXED versions or use the suggested workaround immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem add an initializer with the following code: module ActiveSupport module JSON module Encoding private class EscapedString def to_s self end end end end end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-1-to_json_xss.patch - Patch for 4.1 series * 4-2-to_json_xss.patch - Patch for 4.2 series Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Francois Chagnon of Shopify for reporting the vulnerability to us, and working with us on a fix.
3.2.22.1 and 4.0.13-r1 are still in tree which are vulnerable. Please clean.
(In reply to Aaron Bauman from comment #1) > 3.2.22.1 and 4.0.13-r1 are still in tree which are vulnerable. Please clean. 4.0 is explicitly listed as "Not affected". AT the time I had assumed that 3.2.22 would include fixes for this, but this is not the case and looking at this again the 3.2 series is listed as affected but not patches are available for it. The code is also different from 4.1 so comparing whether the patch has been applied is not going to work. I'll have to follow up with upstream to see what the actual status is.
Hans, any updates?
I didn't find time to investigate this. Looking at the upstream security policy at http://rubyonrails.org/security/ it seems that they consider this a minor security issue and those are no longer backported to 3.2.x. I also did not see a fix for it in the upstream git repo. My suggestion would be to follow the upstream assessment and just continue with this security bug and not fix this. Note that rails 5.x will be released 'soon' (first beta is out now). Once that happens support for rails 3.2 will officially stop and we will remove it from Gentoo.
3.2.22 is masked for removal, which is the final version needing cleaned. @maintainer(s), please close this bug once the masked version is removed. GLSA Vote: No
Tree is clean.
