Possible XSS vulnerability in ActionView

2020-03-1821:00:00

RubySec

rubysec.com

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

JSON

There is a possible XSS vulnerability in ActionView’s JavaScript literal
escape helpers. Views that use the j or escape_javascript methods
may be susceptible to XSS attacks.

Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2

Impact

There is a possible XSS vulnerability in the j and escape_javascript
methods in ActionView. These methods are used for escaping JavaScript string
literals. Impacted code will look something like this:

&lt;script&gt;let a = `&lt;%= j unknown_input %&gt;`&lt;/script&gt;

&lt;script&gt;let a = `&lt;%= escape_javascript unknown_input %&gt;`&lt;/script&gt;

Releases

The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.

Workarounds

For those that can’t upgrade, the following monkey patch may be used:

ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
  {
    "`" =&gt; "\\`",
    "$" =&gt; "\\$"
  }
)

module ActionView::Helpers::JavaScriptHelper
  alias :old_ej :escape_javascript
  alias :old_j :j

  def escape_javascript(javascript)
    javascript = javascript.to_s
    if javascript.empty?
      result = ""
    else
      result = javascript.gsub(/(\\|&lt;\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
    end
    javascript.html_safe? ? result.html_safe : result
  end

  alias :j :escape_javascript
end