Mitigations also offered as interim remedy

Red ruby on yellow background

Web developers who use Action View, a popular Ruby Gem that handles web requests in the Rails web application framework, have been urged to update to the latest version after the discovery of a cross-site scripting (XSS) vulnerability.

The security flaw (CVE-2020-5267), which is classed as ‘medium’ severity, was found in the j and escape_javascript methods in Action View’s JavaScript literal escape helpers, according to an advisory posted to GitHub on March 17.

Views that use either of these methods are therefore susceptible to “really any XSS attack”, according to Aaron Patterson, who published the advisory.

“These methods are used for escaping user input used in JavaScript strings,” he told The Daily Swig.

“For example, if an app receives input from a user, and the app needs to embed that user input in a JavaScript literal (which is different than being JSON encoded), then you would use these methods to escape the string.”

Action View currently has more than 164 million installs, but Patterson, a senior software engineer at GitHub, said: “It’s probably a pretty rare issue because I think most applications will use JSON to encode data for JavaScript, and encoding data as JSON will not be impacted by this issue.”

David Heinemeier Hansson, creator of Ruby on Rails, told The Daily Swig, that he didn’t have any data on Action View installs or usage of the methods affected by the flaw, which was discovered by Jesse Campos, founder of cybersecurity training platform Chef Secure.

Security updates and mitigations

The maintainers of the open source Action View Ruby Gem project released patched versions 6.0.2.2 and 5.2.4.2 on March 19.

The XSS flaw affects all versions of the software preceding 5.2.4.2 and series 6 iterations down to 6.0.0.

A monkey patch has been provided for anyone unable to upgrade, as well as patches in git-am format, comprising a single changeset, for the 5.2 series and 6.0 series.

Anyone using unsupported releases earlier than the 5.2 and 6.0 series are urged by the advisory to upgrade as soon as possible, as the project’s maintainers said they “cannot guarantee the continued availability of security fixes for unsupported releases”.

Proof of concept

The Action View vulnerability only occurs within template strings that are enclosed with backticks, for instance ${alert(document.cookie)}.

Template strings allow developers to place JavaScript expressions using ${} syntax. However, because backticks and the $ weren’t escaped correctly due to the vulnerability, an attacker could either break out of the template string using a backtick or use ${} to inject their own JavaScript.

The patch escapes $ and `, which prevents those characters being treated as template expressions or backtick characters.

For example: `${alert(1)}` will call the function alert, but not if you escape the $ – for instance: `\${alert(1)}`.

Impacted code, warns the advisory, will look something like: <script>let a = `<%= j unknown_input %>`</script> or <script>let a = `<%= escape_javascript unknown_input %>`</script>.

Action View handles web requests in Rails along with Action Controller, which communicates with the database and performs appropriate CRUD actions.

Action View, whose templates are written using embedded Ruby in tags combined with HTML, then compiles the response.


RELATED Vulnerabilities in web and app frameworks fall, but weaponization rate jumps – study