1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/activesupport/lib/active_support/json/encoding.rb
Rafael Mendonça França 193b76cbf0 Escape HTML entities in JSON keys
Fixes CVE-2015-3226
2015-06-16 17:27:48 -03:00

127 lines
4.5 KiB
Ruby

require 'active_support/core_ext/object/json'
require 'active_support/core_ext/module/delegation'
module ActiveSupport
class << self
delegate :use_standard_json_time_format, :use_standard_json_time_format=,
:time_precision, :time_precision=,
:escape_html_entities_in_json, :escape_html_entities_in_json=,
:json_encoder, :json_encoder=,
:to => :'ActiveSupport::JSON::Encoding'
end
module JSON
# Dumps objects in JSON (JavaScript Object Notation).
# See http://www.json.org for more info.
#
# ActiveSupport::JSON.encode({ team: 'rails', players: '36' })
# # => "{\"team\":\"rails\",\"players\":\"36\"}"
def self.encode(value, options = nil)
Encoding.json_encoder.new(options).encode(value)
end
module Encoding #:nodoc:
class JSONGemEncoder #:nodoc:
attr_reader :options
def initialize(options = nil)
@options = options || {}
end
# Encode the given object into a JSON string
def encode(value)
stringify jsonify value.as_json(options.dup)
end
private
# Rails does more escaping than the JSON gem natively does (we
# escape \u2028 and \u2029 and optionally >, <, & to work around
# certain browser problems).
ESCAPED_CHARS = {
"\u2028" => '\u2028',
"\u2029" => '\u2029',
'>' => '\u003e',
'<' => '\u003c',
'&' => '\u0026',
}
ESCAPE_REGEX_WITH_HTML_ENTITIES = /[\u2028\u2029><&]/u
ESCAPE_REGEX_WITHOUT_HTML_ENTITIES = /[\u2028\u2029]/u
# This class wraps all the strings we see and does the extra escaping
class EscapedString < String #:nodoc:
def to_json(*)
if Encoding.escape_html_entities_in_json
super.gsub ESCAPE_REGEX_WITH_HTML_ENTITIES, ESCAPED_CHARS
else
super.gsub ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, ESCAPED_CHARS
end
end
def to_s
self
end
end
# Mark these as private so we don't leak encoding-specific constructs
private_constant :ESCAPED_CHARS, :ESCAPE_REGEX_WITH_HTML_ENTITIES,
:ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, :EscapedString
# Convert an object into a "JSON-ready" representation composed of
# primitives like Hash, Array, String, Numeric, and true/false/nil.
# Recursively calls #as_json to the object to recursively build a
# fully JSON-ready object.
#
# This allows developers to implement #as_json without having to
# worry about what base types of objects they are allowed to return
# or having to remember to call #as_json recursively.
#
# Note: the +options+ hash passed to +object.to_json+ is only passed
# to +object.as_json+, not any of this method's recursive +#as_json+
# calls.
def jsonify(value)
case value
when String
EscapedString.new(value)
when Numeric, NilClass, TrueClass, FalseClass
value
when Hash
Hash[value.map { |k, v| [jsonify(k), jsonify(v)] }]
when Array
value.map { |v| jsonify(v) }
else
jsonify value.as_json
end
end
# Encode a "jsonified" Ruby data structure using the JSON gem
def stringify(jsonified)
::JSON.generate(jsonified, quirks_mode: true, max_nesting: false)
end
end
class << self
# If true, use ISO 8601 format for dates and times. Otherwise, fall back
# to the Active Support legacy format.
attr_accessor :use_standard_json_time_format
# If true, encode >, <, & as escaped unicode sequences (e.g. > as \u003e)
# as a safety measure.
attr_accessor :escape_html_entities_in_json
# Sets the precision of encoded time values.
# Defaults to 3 (equivalent to millisecond precision)
attr_accessor :time_precision
# Sets the encoder used by Rails to encode Ruby objects into JSON strings
# in +Object#to_json+ and +ActiveSupport::JSON.encode+.
attr_accessor :json_encoder
end
self.use_standard_json_time_format = true
self.escape_html_entities_in_json = true
self.json_encoder = JSONGemEncoder
self.time_precision = 3
end
end
end