Skip to content

Commit fe3c7b2

Browse files
committed
CVE-2020-25739: Enforce HTML entities escaping in gon output
Version 6.4.0
1 parent 9924c70 commit fe3c7b2

File tree

5 files changed

+27
-5
lines changed

5 files changed

+27
-5
lines changed

Diff for: .travis.yml

+5-3
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,9 @@ env:
66

77
rvm:
88
- 2.2.10
9-
- 2.3.7
10-
- 2.4.4
11-
- 2.5.1
9+
- 2.3.8
10+
- 2.4.10
11+
- 2.5.8
12+
- 2.6.6
13+
- 2.7.1
1214
- ruby-head

Diff for: CHANGELOG.md

+4
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@
22

33
## [Unreleased]
44

5+
## [6.4.0] - 2020-09-18
6+
### Security
7+
- CVE-2020-25739: Enforce HTML entities escaping in gon output
8+
59
## [6.3.2] - 2019-11-18
610
### Security
711
- Restrict possibility of vulnerable i18n legacy verision (0.3.6.pre)

Diff for: gon.gemspec

+1
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,5 @@ Gem::Specification.new do |s|
2727
s.add_development_dependency 'railties', '>= 3.0.20'
2828
s.add_development_dependency 'rake'
2929
s.add_development_dependency 'pry'
30+
s.add_development_dependency 'pry-byebug'
3031
end

Diff for: lib/gon/json_dumper.rb

+16-1
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,23 @@
11
class Gon
22
module JsonDumper
3+
# Taken from ERB::Util
4+
JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
5+
JSON_ESCAPE = {
6+
"&" => '\u0026',
7+
">" => '\u003e',
8+
"<" => '\u003c',
9+
"\u2028" => '\u2028',
10+
"\u2029" => '\u2029'
11+
}
12+
313
def self.dump(object)
4-
MultiJson.dump object,
14+
dumped_json = MultiJson.dump object,
515
mode: :compat, escape_mode: :xss_safe, time_format: :ruby
16+
escape(dumped_json)
17+
end
18+
19+
def self.escape(json)
20+
json.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
621
end
722
end
823
end

Diff for: lib/gon/version.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
class Gon
2-
VERSION = '6.3.2'
2+
VERSION = '6.4.0'
33
end

0 commit comments

Comments
 (0)