Tags

redhat
employment
ripple
interfaces
ncurses
ruby
refs
filesystems
retro gaming
raspberry pi
sinatra
3d printing
nethack
gcc
compiler
fedora
virtfs
project
gaming
vim
grep
sed
aikido
philosophy
splix
android
lvm
storage
bitcoin
projects
sig315
miq
db
polisher
meditation
hopex
conferences
omega
simulator
bundler_ext
rubygems
book review
google code in
isitfedoraruby
svn
gsoc
design patters
jsonrpc
rjr
aeolus
ohiolinuxfest
rome
europe
travel
brno
gtk
python
puppet
conference
fudcon
snap
html5
tips
ssh
linux
hardware
libvirt
virtualization
engineering expo
cloud
rpm
yum
rake
redmine
plugins
screencasting
jruby
fosscon
pidgin
gnome-shell
distros
notacon
presentation
rails
deltacloud
apache
qmf
passenger
syrlug
hackerspace
music
massive attack
crypto
backups
vnc
xsd
rxsd
x3d
mercurial
ovirt
qpid
webdev
haikus
poetry
legaleese
jquery
selenium
testing
xpath
git
sshfs
svg
ldap
autotools
pygtk
xmlrpc
slackware

Sep 28 2013

Parsing Unsanitized JSON from Ruby

Parsing Unsanitized JSON from Ruby Json logo

Recently CVE-2013-0269 was filed against the json gem and a subsequent patch pushed resolving the issue. The root culprit was caused by the json's gems automatic mapping of string class names encoded in json data to Ruby classes. The Ruby class name lookup mechanisms (used here) automatically converts strings into symbols which are not garbage collected by Ruby. This means if a machine uses json to parse unsanitized JSON code, it may be subject to a DOS attack.

RJR currently supports this automatic conversion of classes so the situation is problematic. Technically RJR doesn't need to support this, but it's a nice feature to have. After a bit of investigation I filed an issue with a few workarounds, along with a pull request. These are detailed below:

- Workaround 1: Override the JSON string -> Ruby class lookup/conversion mechanism.
  - Benefits: quick, easy, efficient
  - Drawbacks: requiring overriding an external dependency's code, may have unintended consequences

- Workaround 2: Use a two stage parsing process, doing a string comparison inbetween stages
  - Benefits: Non-intruisive, map any way you want
  - Drawbacks: Slow, multiple parsing passes takes time

- JSON gem patch: Introduce a callback mechanism to specify custom string -> class mapping
  - Simple support for overriding json -> ruby conversion w/ custom behavior
  - Falls back to default behaviour if not specified
  - See the pull request here

I'm hoping the pull request to json will be accepted so that I can just rely on a custom matcher plugin in rjr. In the meantime I've just pushed a patch to rjr that implements a hybrid solution. It supports the registration of json creatable classes but will also rely on the class namespace to try to resolve references as a fallback. Since this is all used and encapsulated in rjr itself, the JSON module does not have to be monkey patched.

You can find the latest RJR release on rubygems.org.