[CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode

5032 views
Skip to first unread message

Aaron Patterson

unread,
Jun 16, 2015, 2:07:29 PM6/16/15
to secu...@suse.de, rubyonrail...@googlegroups.com, oss-se...@lists.openwall.com, ruby-sec...@googlegroups.com
XSS Vulnerability in ActiveSupport::JSON.encode

There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails.
This vulnerability has been assigned the CVE identifier CVE-2015-3226.

Versions Affected: 3.0.x, 3.1.x, 3.2.x, 4.1.x, 4.2.x.
Not affected: 4.0.x.
Fixed Versions: 4.2.2, 4.1.11

Impact
------
When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

For example, the following code snippet is vulnerable to this attack:

<%= javascript_tag "var data = #{user_supplied_data.to_json};" %>

Similarly, the following is also vulnerable:

<script>
var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
</script>

All applications that renders JSON-encoded strings that contains user-controlled
data in their views should either upgrade to one of the FIXED versions or use
the suggested workaround immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
To work around this problem add an initializer with the following code:

module ActiveSupport
module JSON
module Encoding
private
class EscapedString
def to_s
self
end
end
end
end
end

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two
supported release series. They are in git-am format and consist of a single changeset.

* 4-1-to_json_xss.patch - Patch for 4.1 series
* 4-2-to_json_xss.patch - Patch for 4.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present.
Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot
guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Francois Chagnon of Shopify for reporting the vulnerability to us, and working
with us on a fix.

--
Aaron Patterson
http://tenderlovemaking.com/
4-1-to_json_xss.patch
4-2-to_json_xss.patch
Reply all
Reply to author
Forward
0 new messages