Unsafe Object Creation Vulnerability in JSON (Additional fix)
When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.
Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your version of json has known security vulnerabilities 🚨
Advisory: CVE-2020-10663 Disclosed: March 19, 2020 URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Unsafe Object Creation Vulnerability in JSON (Additional fix)
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ json (indirect, 2.2.0 → 2.3.0) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 53 commits:
v2.3.0Add some more recent jrubyMake tests green on jrubyUpdate travis configIgnore log filesMerge pull request #391 from headius/prep_2.3.0Bump versions for 2.3.0.Merge pull request #390 from flori/relax-test-unitrelax test-unit version for old rubyMerge branch 'zenspider-zenspider/ruby-2.7'Merge branch 'zenspider/ruby-2.7' of https://github.com/zenspider/json into zenspider-zenspider/ruby-2.7Merge pull request #388 from flori/backport-ruby-coreSkip useless testBump to test-unit 3 to get warnings cleaned up.Fix warning from trying to access an uninitialized ivar.Fix syntax warnings from tests.Minor cleanup for ruby 2.7 warnings and failures.Removed duplicate fileAdd NaN / Infinity / MinusInfinity to mark listext/json/parser/prereq.mk: Add a "automatically generated" headerext/json/parser/parser.rl: Use "signed" char to contain negative valuesAdd `GC.compact` again.ext/json/parser/parser.rl: Update the source code of parser.cSuppress uninitialized instance variable warningsRemoved useless `freeze`s from gemspec filesDrop fossil rubygems supportRemoved binary lineFix JSON::Parser against bigdecimal updates[flori/json] Fixed unexpected illegal/malformed utf-8 errorIgnore warnings about ambiguous first argument of regexp with assert match.Make rb_scan_args handle keywords more similar to Ruby methods (#2460)Ignore warnings about ambiguous first argument with the negative integer.Remove unused constant.Look up constant instead of caching in a globalMerge pull request #381 from olleolleolle/patch-1Gemspec: Drop EOL'd property rubyforge_projectRecreate gemspecsMerge pull request #367 from sho-h/add-ascii_only-documentMerge pull request #378 from olleolleolle/patch-1Remove RubyForge homepage referenceUse newest rubygemsPass args all #to_json in json/add/*.Add LICENSE fileMerge branch 'master' of github.com:flori/jsonDoes not check whether illegal utf-8 if string has ascii only.Convert string encoding to UTF-8 only when neededConvert String encoding using `rb_str_encode()`Add shortcut converting to StringConvert Hash object using rb_hash_foreach()Only attempt to resize strings not other objectsTest on newer rubiesMerge pull request #376 from olleolleolle/patch-1README: Docs at rubydoc.info, not on rubyforgeDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands