Parsing Unsanitized JSON from Ruby Sep 28, 2013
Recently CVE-2013-0269 was filed against the json gem and a subsequent patch pushed resolving the issue. The root culprit was caused by the json's gems automatic mapping of string class names encoded in json data to Ruby classes. The Ruby class name lookup mechanisms (used here) automatically converts strings into symbols which are not garbage collected by Ruby. This means if a machine uses json to parse unsanitized JSON code, it may be subject to a DOS attack.
RJR currently supports this automatic conversion of classes so the situation is problematic. Technically RJR doesn't need to support this, but it's a nice feature to have. After a bit of investigation I filed an issue with a few workarounds, along with a pull request. These are detailed below:
- Workaround 1: Override the JSON string -> Ruby class lookup/conversion mechanism.
- Benefits: quick, easy, efficient
- Drawbacks: requiring overriding an external dependency's code, may have unintended consequences
- Workaround 2: Use a two stage parsing process, doing a string comparison inbetween stages
- Benefits: Non-intruisive, map any way you want
- Drawbacks: Slow, multiple parsing passes takes time
- JSON gem patch: Introduce a callback mechanism to specify custom string -> class mapping
- Simple support for overriding json -> ruby conversion w/ custom behavior
- Falls back to default behaviour if not specified
- See the pull request here
I'm hoping the pull request to json will be accepted so that I can just rely on a custom matcher plugin in rjr. In the meantime I've just pushed a patch to rjr that implements a hybrid solution. It supports the registration of json creatable classes but will also rely on the class namespace to try to resolve references as a fallback. Since this is all used and encapsulated in rjr itself, the JSON module does not have to be monkey patched.
You can find the latest RJR release on rubygems.org.