Ruby

Ruby

By DeepSource

Rails version with SafeBuffer manipulation bug detected RB-A1005

Security

Selected versions of Rails 3 contain the SafeBuffer bug. Upgrading to newer versions of Rails can help fix this issue.

Due side effects of some optimizations in the String class, users that directly manipulate SafeBuffer objects via [] and other methods that return new instances of SafeBuffer may be inadvertently marked as HTML safe.

References

  1. Possible XSS Security Vulnerability in SafeBuffer - Rails Security Group
  2. OWASP Top 10 - A7 - Cross Site Scripting (XSS)
  3. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities