Rails 5.0 Vulnerabilities

In order to calculate Rails 5.0 vulnerabilities we created an application using the latest patch version of Rails 5.0 and we ran bundler-audit to find all known vulnerabilities.

Here we list the security risks related to a sample Rails 5.0 application.

VULNERABLE GEM: ACTIONVIEW@5.0.7.2

Name:

actionview

Version:

5.0.7.2

ID:

CVE-2020-5267

Possible XSS vulnerability in ActionView

Description

There is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks.

Versions Affected: All. Not affected: None. Fixed Versions: 6.0.2.2, 5.2.4.2

IMPACT

There is a possible XSS vulnerability in the j and escape_javascript methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this:

<script>let a = `<%= j unknown_input %>`</script>

or

<script>let a = `<%= escape_javascript unknown_input %>`</script>

RELEASES

The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.

WORKAROUNDS

For those that can't upgrade, the following monkey patch may be used:

ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
  {
    "`" => "\\`",
    "$" => "\\$"
  }
)

module ActionView::Helpers::JavaScriptHelper
  alias :old_ej :escape_javascript
  alias :old_j :j

  def escape_javascript(javascript)
    javascript = javascript.to_s
    if javascript.empty?
      result = ""
    else
      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
    end
    javascript.html_safe? ? result.html_safe : result
  end

  alias :j :escape_javascript
end