Last active
December 21, 2015 06:08
-
-
Save movitto/6261634 to your computer and use it in GitHub Desktop.
Workaround to security fix in rubygem-json commit #d0a62f3c fixing a situation which attacker could use the constant resolution mechanism in the json gem to subject the machine running it to a DoS attack. The fix involved disabling the conversion of json into ruby classes by default and recommending that the developer only enable it for validate…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'json' | |
| module JSON | |
| class << self | |
| def deep_const_get(path) | |
| path.to_s.split(/::/).inject(Object) do |p, c| | |
| case | |
| when c.empty? then p | |
| when p.constants.collect { |c| c.to_s }.include?(c) | |
| then p.const_get(c) | |
| # currently no way to do const_missing without converting | |
| # the user input into a symbol | |
| else raise ArgumentError, "can't get const #{path}" | |
| end | |
| end | |
| end | |
| end | |
| end | |
| class Foo | |
| class << self | |
| def json_creatable? | |
| true | |
| end | |
| end | |
| def to_json(*a) | |
| {'json_class' => self.class.to_s, | |
| 'data' => []}.to_json(*a) | |
| end | |
| def self.json_create(o) | |
| new(*o['data']) | |
| end | |
| end | |
| j = Foo.new.to_json | |
| puts " #{j.class} #{j}" | |
| f = JSON.parse j, :create_additions => true | |
| puts " #{f.class} #{f}" | |
| j2 = '{"json_class":"Fooz","data":[]}' | |
| ns1 = Symbol.all_symbols.size | |
| begin | |
| JSON.parse j2, :create_additions => true | |
| rescue => e | |
| ns2 = Symbol.all_symbols.size | |
| # comment out json monkey-patch above | |
| # to watch this change: | |
| puts "#{e} #{ns1} #{ns2}" | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment