There is a possible XSS (Cross-site Scripting) vulnerability in Rails::Html::Sanitizer affecting all versions, which may allow content injection by an attacker in certain situations. This vulnerability has been assigned the CVE (Common Vulnerability and Exposure) identifier CVE-2022-32209.

In this post, we will discuss the details of this vulnerability, its impact, and the steps required to resolve it.

Exploit Details

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both select and style elements.

The affected code is only impacted if allowed tags are being overridden. This may be done via application configuration, using the Action View helper sanitize, or by using Rails::Html::SafeListSanitizer directly.

For example, if you have the following configuration in your Rails application

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]

See Configuring Action View for more information.

Or, if you're using the sanitize helper

<%= sanitize @comment.body, tags: ["select", "style"] %>

See SanitizeHelper for more information.

Or, if you're using Rails::Html::SafeListSanitizer directly

# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]

or

# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])

All users who are overriding the allowed tags by any of the methods mentioned above should either upgrade or use one of the workarounds immediately.

Impact

If your application is vulnerable to this issue, it could allow attackers to inject malicious scripts or content that can potentially compromise the security of your users' data and the application itself.

Fixed Versions

This vulnerability is fixed in Rails::Html::Sanitizer version v1.4.3.

Resolution

To resolve this issue, update your Rails::Html::Sanitizer to version v1.4.3 or later. Alternatively, you can also remove either select or style from the overridden allowed tags as a temporary workaround.

Credits

This vulnerability was responsibly reported by windshock (https://hackerone.com/windshock?type=user). We appreciate their contribution to securing Rails applications and making the internet a safer place.

Timeline

Published on: 06/24/2022 15:15:00 UTC
Last modified on: 08/15/2022 11:21:00 UTC