4

I'm writing a rails application with an AngularJS front-end, this is part of a tutorial series I'm writing on connecting rails and angularjs. This means my rails application communicates with the browser exclusively in JSON.

In the angularjs $http documentation it describes a potential json security vulnerability where the json request can be embedded into a script tag, plus some tricky use of jsonp, to allow something akin to a cross-site scripting attack. I've found a few other pages, one in particular I thought described this well, and dates from 2008, so this isn't a new issue.

Apparently this isn't a vulnerability in standard rails json rendering, as rails by default provides back an object containing an array. But when working with angularjs we appear to set root: false (although I have to confess I can't find where I did that, but it's definitely not giving the root node).

Anyway, the bottom line is that the angular documentation recommends prefixing any json response with )]}', so:

['one','two']

Becomes

)]}',
['one','two']

Angular then automatically strips that off again.

I'm looking for a way to do this elegantly. I've seen a lot of questions and answers on stackoverflow about this, but most of those either relate to much earlier versions of rails before JSON handling was more thoroughly embedded, or seem to require me to create a lot of boilerplate code. I'm looking for a method that I can apply to the application controller, or as a helper method, that will work everywhere.

The controller that I'm currently using looks as follows:

class ClubsController < ApplicationController
  respond_to :json

  # GET /clubs.json
  def index
    @clubs = Club.all        
    render json: @clubs
  end
end

This doesn't call any templates - the render action skips the templating engine. I can get this working by changing the render line instead to:

respond_with json: @clubs

And creating a template file views/clubs/index.json.erb that contains

)]}',
<%= raw(@clubs.to_json) %>

But I'd then have to create a template for every action on every controller, which feels like boilerplate. I'd like instead to be able to change views/layouts/application.json.erb to have something like:

)]}',
<%= yield %>

But that doesn't work because we only get templating if we call respond_with. And if we call respond_with, we have no way to put the @clubs into the response - so we end up with:

)]}',

As the entirety of the response.

An alternative would perhaps be to override the as_json method to prepend what I want, but that seems a bit like a sledgehammer. Ideally there would be a place I could introduce a helper method, something like:

render prepend_vulnerability_protection(json: @clubs)

So, after all that, two questions:

  1. Is this even a real problem, or does Rails already have some other protection that means I don't need to worry about this at all
  2. Is there a way to do this centrally, or do I need to bite the bullet and create all the boilerplate templates? I can modify the scaffold generators to do it, so it's not the end of the world, but it does seem like a lot of boilerplate code
Improve this question

1 Answer 1

Reset to default
4

So, no responses as yet. I'm going to write down what I find from my research, and my current answer.

Firstly, I think this is a genuine vulnerability in rails. Unfortunately the rails and JSON/JSONP area has had some other recent vulnerabilities relating to the JSON parser at the Rails end. That has really drowned out any google search relating to this specific XSS issue.

There are a couple of approaches to resolving this:

  1. Have your application only respond to put/post/delete requests. That's not really an option when integrating to Angular - well, it is, but it means overriding a bunch of standard behaviour
  2. Insert something at the front of your returned JSON - this can be the root node (default rails behaviour in rails 3, no longer in 3.1), a closure like )]};, or a loop like while (1);. Angular expects and can deal with )]}',

I've looked at using a json template in my rails app. You can do this with one of many gems, the one I like the look of is JBuilder (railscast 320), but RABL is perhaps more powerful (railscast 322).

This does mean a template for each of the actions on each of the controllers. However, I've also just completed working out how to have rails scaffold those for me automatically, so it's not as scary as it was when I first asked the question, and I can see some other reasons that I might want more control over the json that is returned from my application.

Having said that, I couldn't immediately see a way to get JBuilder to prepend an arbitrary string - it seems to only want to prepare valid JSON (and this I think is not valid JSON). RABL looks like it can do it, but it is a bit more complex. It can definitely be done through just using ERB, but I feel kinda wrong in doing that.

The other alternative I've identified is a helper method in application_controller.rb, which I then call in each of my controller methods. This is reasonably elegant, and I can quite easily change my template to do it. So I'm going with this for now:

class ApplicationController < ActionController::Base
  def render_with_protection(json_content, parameters = {})
    render parameters.merge(content_type: 'application/json', text: ")]}',\n" + json_content)
  end
end

class ClubsController < ApplicationController
  respond_to :json

  # GET /clubs.json
  def index
    @clubs = Club.all

    render_with_protection @clubs.to_json
  end

  # GET /clubs/1.json
  def show
    @club = Club.find(params[:id])

    render_with_protection @club.to_json
  end

  # POST /clubs.json
  def create
    @club = Club.new(params[:club])

    if @club.save
      render_with_protection @club.to_json, {status: :created, location: @club}
    else
      render_with_protection @club.errors.to_json, {status: :unprocessable_entity}
    end
  end
end

Note that you should be also including CSRF protection in your application controller - so see this as additive to the security precautions you were already taking, not a replacement.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Image
One slight improvement to this approach would be to create an after_filter that prepends the desired string to the response body. Maybe something like: def protect_json; if response.content_type == "application/json"; response.body = ")]}',\n" + response.body; end; end; (Here is a better formatted version: gist.github.com/dwaltrip/fd5e7ef420c401851fd4

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.