Ruby on Rails ActiveSupport SafeBuffer Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the ActiveSupport component of Ruby on Rails. This issue arises in all versions prior to 7.0.4.3 and 6.1.7.3, when the new 'bytesplice' method is used on a SafeBuffer object containing untrusted user input. The vulnerability exists because ActiveSupport's SafeBuffer subclass, which is designed to handle HTML-safe strings, does not properly recognize the 'bytesplice' method as a mutation, leading to potential XSS risks.

Impact

Exploitation of this vulnerability could result in cross-site scripting, allowing an attacker to inject malicious scripts that could be executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a SafeBuffer string marked as HTML-safe. Then, call the 'bytesplice' method on this string, inserting untrusted user input. This will demonstrate how the vulnerability can be exploited by manipulating the SafeBuffer's HTML-safe status without proper sanitization.

Remediation

Users can upgrade to Ruby on Rails versions 7.0.4.3 or 6.1.7.3 to address this vulnerability. For those unable to upgrade immediately, a patch is available for both the 6.1 and 7.0 series.