Bug 1232310 (CVE-2015-3226)

Summary: CVE-2015-3226 rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON.encode
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apatters, bkearney, carnil, cbillett, ccoleman, dajohnso, dclarizi, dmcphers, gmccullo, jhardy, jialiu, joelsmith, jokerman, jorton, jprause, jrafanie, jrusnack, jvlcek, kseifried, lmeyer, mmaslano, mmccomas, obarenbo, security-response-team, tomckay, vondruch, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-activesupport-4.2.2, rubygem-activesupport-4.1.11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-31 12:52:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1249055, 1249056, 1249057, 1249059, 1249060    
Bug Blocks: 1232306, 1232311    
Attachments:
Description Flags
Patch for ActiveSupport 4.1
none
Patch for ActiveSupport 4.2 none

Description Vasyl Kaigorodov 2015-06-16 13:11:33 UTC
There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails.

When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

For example, the following code snippet is vulnerable to this attack:

    <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>

Similarly, the following is also vulnerable:

    <script>
      var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
    </script>

Workarounds
-----------
To work around this problem add an initializer with the following code:

    module ActiveSupport
      module JSON
        module Encoding
          private
          class EscapedString
            def to_s
              self
            end
          end
        end
      end
    end

Attached patches resolve this issue.

Acknowledgements:

Red Hat would like to thank Ruby upstream developers for reporting this issue. Upstream acknowledges Francois Chagnon of Shopify as the original reporter.

Comment 1 Kurt Seifried 2015-06-16 19:38:52 UTC
This is now public:

http://seclists.org/oss-sec/2015/q2/732

Comment 2 Ján Rusnačko 2015-07-31 12:39:20 UTC
Created attachment 1058043 [details]
Patch for ActiveSupport 4.1

Comment 3 Ján Rusnačko 2015-07-31 12:39:38 UTC
Created attachment 1058044 [details]
Patch for ActiveSupport 4.2

Comment 6 Ján Rusnačko 2015-07-31 12:45:54 UTC
Created rubygem-activesupport tracking bugs for this issue:

Affects: fedora-all [bug 1249055]
Affects: epel-all [bug 1249056]