ruby.lang.security.json-entity-escape.json-entity-escape

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
62,402
Download Count*
LGPL Commons Clause
License

Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: json-entity-escape
    pattern-either:
      - pattern: |
          ActiveSupport.escape_html_entities_in_json = false
      - pattern: |
          config.active_support.escape_html_entities_in_json = false
    message: Checks if HTML escaping is globally disabled for JSON output. This
      could lead to XSS.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_entity_escape.rb
      category: security
      technology:
        - ruby
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - ruby
    severity: WARNING

Examples

json-entity-escape.rb

 def bad_escape
     # ruleid: json-entity-escape
     ActiveSupport.escape_html_entities_in_json = false
 end

 def ok_escape
     # ok: json-entity-escape
     ActiveSupport.escape_html_entities_in_json = true
 end