ruby.lang.security.json-entity-escape.json-entity-escape

Verifed by r2c

Community Favorite

returntocorp

Author

62,402

Download Count*

LGPL Commons Clause

License

Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: json-entity-escape
    pattern-either:
      - pattern: |
          ActiveSupport.escape_html_entities_in_json = false
      - pattern: |
          config.active_support.escape_html_entities_in_json = false
    message: Checks if HTML escaping is globally disabled for JSON output. This
      could lead to XSS.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_entity_escape.rb
      category: security
      technology:
        - ruby
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - ruby
    severity: WARNING

Examples

json-entity-escape.rb

 def bad_escape
     # ruleid: json-entity-escape
     ActiveSupport.escape_html_entities_in_json = false
 end

 def ok_escape
     # ok: json-entity-escape
     ActiveSupport.escape_html_entities_in_json = true
 end

Short Link: https://sg.run/plr3