Unsafe Object Creation Vulnerability in JSON (Additional fix)
When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.
Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your version of json has known security vulnerabilities 🚨
Advisory: CVE-2020-10663 Disclosed: March 19, 2020 URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Unsafe Object Creation Vulnerability in JSON (Additional fix)
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ json (indirect, 2.2.0 → 2.3.0) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 53 commits:
v2.3.0
Add some more recent jruby
Make tests green on jruby
Update travis config
Ignore log files
Merge pull request #391 from headius/prep_2.3.0
Bump versions for 2.3.0.
Merge pull request #390 from flori/relax-test-unit
relax test-unit version for old ruby
Merge branch 'zenspider-zenspider/ruby-2.7'
Merge branch 'zenspider/ruby-2.7' of https://github.com/zenspider/json into zenspider-zenspider/ruby-2.7
Merge pull request #388 from flori/backport-ruby-core
Skip useless test
Bump to test-unit 3 to get warnings cleaned up.
Fix warning from trying to access an uninitialized ivar.
Fix syntax warnings from tests.
Minor cleanup for ruby 2.7 warnings and failures.
Removed duplicate file
Add NaN / Infinity / MinusInfinity to mark list
ext/json/parser/prereq.mk: Add a "automatically generated" header
ext/json/parser/parser.rl: Use "signed" char to contain negative values
Add `GC.compact` again.
ext/json/parser/parser.rl: Update the source code of parser.c
Suppress uninitialized instance variable warnings
Removed useless `freeze`s from gemspec files
Drop fossil rubygems support
Removed binary line
Fix JSON::Parser against bigdecimal updates
[flori/json] Fixed unexpected illegal/malformed utf-8 error
Ignore warnings about ambiguous first argument of regexp with assert match.
Make rb_scan_args handle keywords more similar to Ruby methods (#2460)
Ignore warnings about ambiguous first argument with the negative integer.
Remove unused constant.
Look up constant instead of caching in a global
Merge pull request #381 from olleolleolle/patch-1
Gemspec: Drop EOL'd property rubyforge_project
Recreate gemspecs
Merge pull request #367 from sho-h/add-ascii_only-document
Merge pull request #378 from olleolleolle/patch-1
Remove RubyForge homepage reference
Use newest rubygems
Pass args all #to_json in json/add/*.
Add LICENSE file
Merge branch 'master' of github.com:flori/json
Does not check whether illegal utf-8 if string has ascii only.
Convert string encoding to UTF-8 only when needed
Convert String encoding using `rb_str_encode()`
Add shortcut converting to String
Convert Hash object using rb_hash_foreach()
Only attempt to resize strings not other objects
Test on newer rubies
Merge pull request #376 from olleolleolle/patch-1
README: Docs at rubydoc.info, not on rubyforge
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands