CVE-2020-25739: Enforce HTML entities escaping in gon output

Version 6.4.0
gazay · Sep 18, 2020 · fe3c7b2 · fe3c7b2
1 parent 9924c70
commit fe3c7b2
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 5 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -6,7 +6,9 @@ env:
 
 rvm:
   - 2.2.10
-  - 2.3.7
-  - 2.4.4
-  - 2.5.1
+  - 2.3.8
+  - 2.4.10
+  - 2.5.8
+  - 2.6.6
+  - 2.7.1
   - ruby-head
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+## [6.4.0] - 2020-09-18
+### Security
+- CVE-2020-25739: Enforce HTML entities escaping in gon output
+
 ## [6.3.2] - 2019-11-18
 ### Security
 - Restrict possibility of vulnerable i18n legacy verision (0.3.6.pre)

diff --git a/gon.gemspec b/gon.gemspec
@@ -27,4 +27,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'railties', '>= 3.0.20'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'pry'
+  s.add_development_dependency 'pry-byebug'
 end
diff --git a/lib/gon/json_dumper.rb b/lib/gon/json_dumper.rb
@@ -1,8 +1,23 @@
 class Gon
   module JsonDumper
+    # Taken from ERB::Util
+    JSON_ESCAPE_REGEXP	=	/[\u2028\u2029&><]/u
+    JSON_ESCAPE	=	{
+      "&" => '\u0026',
+      ">" => '\u003e',
+      "<" => '\u003c',
+      "\u2028" => '\u2028',
+      "\u2029" => '\u2029'
+    }
+
     def self.dump(object)
-      MultiJson.dump object,
+      dumped_json = MultiJson.dump object,
         mode: :compat, escape_mode: :xss_safe, time_format: :ruby
+      escape(dumped_json)
+    end
+
+    def self.escape(json)
+      json.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
     end
   end
 end
diff --git a/lib/gon/version.rb b/lib/gon/version.rb
@@ -1,3 +1,3 @@
 class Gon
-  VERSION = '6.3.2'
+  VERSION = '6.4.0'
 end