Issue #7878 has been reported by Randall Hansen.
----------------------------------------
Bug #7878: Investigate & fix potential XSS bug in Rails
https://projects.puppetlabs.com/issues/7878
Author: Randall Hansen
Status: Investigating
Priority: Normal
Assignee:
Category:
Target version: 1.2
Keywords:
Branch:
Affected URL:
Affected Dashboard version:
# Potential XSS Vulnerability in Ruby on Rails Applications
The XSS prevention support in recent versions Ruby on Rails allows some string
operations which, when combined with user supplied data, may leave an 'unsafe
string' incorrectly considered safe. It is unlikely that applications call
these methods, however we are shipping new versions today which prevent their
use to ensure they're not called unintentionally.
## How the XSS Prevention Works
When strings are rendered to the client, if the string is not marked as "html
safe", the string will be automatically escaped and marked as "html safe". Some
helper methods automatically return strings already marked as safe.
For example:
<%= link_to('hello world', @user) %>
The `link_to` method will return a string marked as html safe. Since `link_to`
returns an "html safe" string (also known as a safe buffer), the text will be
output directly, meaning the user sees a link tag rather than escaped HTML.
## The Problem
Safe buffers are allowed to be mutated in place via methods like `sub!`. These
methods can add unsafe strings to a safe buffer, and the safe buffer will
continue to be marked safe.
An example problem would be something like this:
<%= link_to('hello world', @user).sub!(/hello/, params[:xss]) %>
In the above example, an untrusted string (`params[:xss]`) is added to the safe
buffer returned by `link_to`, and the untrusted content is successfully sent to
the client without being escaped. To prevent this from happening `sub!` and
other similar methods will now raise an exception when they are called on a
safe buffer.
In addition to the in-place versions, some of the versions of these methods
which return a copy of the string will incorrectly mark strings as safe. For
example:
<%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>
The new versions will now ensure that *all* strings returned by these methods
on safe buffers are marked unsafe.
## Affected versions
This problem affects all versions of rails: 3.1.0.rc1, 3.0.7, and 2.3.11.
## The Solution
Any methods that mutate the safe buffer without escaping input will now raise
an exception.
If you need to modify a safe buffer, cast it to a Ruby string first by calling
the `to_str` method:
<%= link_to('hello world', @user).to_str.sub!(/hello/, params[:xss]) %>
## Upgrading
This problem is fixed in Rails 3.1.0.rc2, 3.0.8, and 2.3.12 (with rails_xss)
(which will be
released in the next hour). If for some reason you cannot upgrade your Rails
installation, please apply these patches (also find them attached):
* [For 3.1.0.rc1](https://gist.github.com/89d6266cc7875614c5a5)
* [For 3.0.7](https://gist.github.com/b2ceb626fc2bcdfe497f)
* [For 2.3.11, specifically the rails_xss
plugin](https://gist.github.com/392235903426322e0414)
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
