Ruby

Ruby

By DeepSource

rails version specified in Gemfile does not encode JSON keys RB-A1010

Security

When a Hash containing user-controlled data is encode as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks. Upgrading to newer versions of Rails can help fix this issue.

References

  1. CVE-2015-3226 - Rails Security Group
  2. CVE-2015-3226 - GitHub Advisory Database
  3. OWASP Top 10 - A7 - Cross Site Scripting (XSS)
  4. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities
  5. SANS 25 - CWE-79 - Cross Site Scripting