-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2020-5267.yml
70 lines (59 loc) · 1.73 KB
/
CVE-2020-5267.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
---
gem: actionview
framework: rails
cve: 2020-5267
ghsa: 65cv-r6x7-79hv
url: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
title: Possible XSS vulnerability in ActionView
date: 2020-03-19
description: |
There is a possible XSS vulnerability in ActionView's JavaScript literal
escape helpers. Views that use the `j` or `escape_javascript` methods
may be susceptible to XSS attacks.
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2
Impact
------
There is a possible XSS vulnerability in the `j` and `escape_javascript`
methods in ActionView. These methods are used for escaping JavaScript string
literals. Impacted code will look something like this:
```erb
<script>let a = `<%= j unknown_input %>`</script>
```
or
```erb
<script>let a = `<%= escape_javascript unknown_input %>`</script>
```
Releases
--------
The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.
Workarounds
-----------
For those that can't upgrade, the following monkey patch may be used:
```ruby
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
{
"`" => "\\`",
"$" => "\\$"
}
)
module ActionView::Helpers::JavaScriptHelper
alias :old_ej :escape_javascript
alias :old_j :j
def escape_javascript(javascript)
javascript = javascript.to_s
if javascript.empty?
result = ""
else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
end
alias :j :escape_javascript
end
```
cvss_v3: 4.0
patched_versions:
- "~> 5.2.4, >= 5.2.4.2"
- ">= 6.0.2.2"