RubyGems - oj - Versions diffs - 2.0.3 → 2.0.4 - Mend

oj 2.0.3 → 2.0.4

Potentially problematic release.

This version of oj might be problematic. Click here for more details.

Files changed (8) hide show

data/README.md CHANGED

@@ -32,9 +32,15 @@ A fast JSON parser and Object marshaller as a Ruby gem.
 ## <a name="release">Release Notes</a>
-### Release 2.0.3
+### Release 2.0.4
- - Fixed round off error in time format when rounding up to the next second.
+ - Fixed bug related to long class names.
+ - Change the default for the auto_define option.
+ - Added Oj.strict_load() method that sets the options to public safe options. This should be safe for loading JSON
+   documents from a public unverified source. It does not eleviate to need for reasonable programming practices of
+   course. See the section on the <a href="#proper_use">proper use of Oj</a> in a public exposure.
 ## <a name="description">Description</a>
@@ -80,6 +86,21 @@ each element. The Oj::Saj API is useful when only portions of the JSON are of in
 faster than conventional JSON are possible. The API is simple to use but does require a different approach than the
 conventional parse followed by access approach used by conventional JSON parsing.
+## <a name="proper_use">Proper Use</a>
+Two settings in Oj are useful for parsing but do expose a vunerability if used from an untrusted source. Symbolizing
+keys can be used to cause memory to be filled up since Ruby does not garbage collect Symbols. The same is true for auto
+defining classes. Memory can be exhausted if too many classes are automatically defined. Auto defining is a useful
+feature during development and from trusted sources but it does allow too many classes to be created in the object load
+mode and auto defined is used with an untrusted source. The Oj.strict_load() method sets uses the most strict and safest
+options. It should be used by developers who find it difficult to understand the options available in Oj.
+The options in Oj are designed to provide flexibility to the developer. This flexibility allows Objects to be serialized
+and deserialized. No methods are ever called on these created Objects but that does not stop the developer from calling
+methods on the Objects created. As in any system, check your inputs before working with them. Taking an arbitrary String
+from a user and evaluating it is never a good idea from an unsecure source. The same is true for Object attributes as
+they are not more than Strings. Always check inputs from untrusted sources.
 ## <a name="compare">Comparisons</a>
 ### Fast Oj::Doc parser comparisons

data/ext/oj/dump.c CHANGED

@@ -268,6 +268,7 @@ dump_unicode(const char *str, const char *end, Out out) {
 	cnt = 5;
 	code = b & 0x00000001;
     } else {
+	cnt = 0;
 	rb_raise(rb_eEncodingError, "Invalid Unicode\n");
     }
     str++;

data/ext/oj/load.c CHANGED

@@ -139,10 +139,12 @@ resolve_classname(VALUE mod, const char *class_name, int auto_define) {
     VALUE	clas;
     ID		ci = rb_intern(class_name);
-    if (rb_const_defined_at(mod, ci) || !auto_define) {
+    if (rb_const_defined_at(mod, ci)) {
 	clas = rb_const_get_at(mod, ci);
-    } else {
+    } else if (auto_define) {
 	clas = rb_define_class_under(mod, class_name, oj_bag_class);
+    } else {
+	clas = Qundef;
     }
     return clas;
 }
@@ -169,6 +171,7 @@ classname2class(const char *name, ParseInfo pi) {
 #endif
     if (Qundef == (clas = oj_cache_get(oj_class_cache, name, &slot))) {
 	char		class_name[1024];
+	char		*end = class_name + sizeof(class_name) - 1;
 	char		*s;
 	const char	*n = name;
@@ -184,6 +187,8 @@ classname2class(const char *name, ParseInfo pi) {
 		    return Qundef;
 		}
 		s = class_name;
+	    } else if (end <= s) {
+		raise_error("Invalid classname, limit is 1024 characters", pi->str, pi->s);
 	    } else {
 		*s++ = *n;
 	    }

data/ext/oj/oj.c CHANGED

@@ -122,7 +122,7 @@ static const char	json_class[] = "json_class";
 struct _Options	oj_default_options = {
     0,			// indent
     No,			// circular
-    Yes,		// auto_define
+    No,			// auto_define
     No,			// sym_key
     No,			// ascii_only
     ObjectMode,		// mode
@@ -395,8 +395,8 @@ parse_options(VALUE ropts, Options copts) {
 static VALUE
 load_with_opts(VALUE input, Options copts) {
-    char	*json;
-    size_t	len;
+    char	*json = 0;
+    size_t	len = 0;
     VALUE	obj;
     if (rb_type(input) == T_STRING) {
@@ -531,6 +531,24 @@ load_file(int argc, VALUE *argv, VALUE self) {
     return obj;
 }
+/* call-seq: strict_load(doc)
+ *
+ * Loads a JSON document in strict mode with auto_define and symbol_keys turned off. This function should be safe to use
+ * with JSON received on an unprotected public interface.
+ * @param [String|IO] doc JSON String or IO to load
+ * @return [Hash|Array|String|Fixnum|Bignum|BigDecimal|nil|True|False]
+ */
+static VALUE
+strict_load(VALUE self, VALUE doc) {
+    struct _Options	options = oj_default_options;
+    options.auto_define = No;
+    options.sym_key = No;
+    options.mode = StrictMode;
+    return load_with_opts(doc, &options);
+}
 /* call-seq: dump(obj, options) => json-string
  *
  * Dumps an Object (obj) to a string.
@@ -591,8 +609,8 @@ to_file(int argc, VALUE *argv, VALUE self) {
 static VALUE
 saj_parse(int argc, VALUE *argv, VALUE self) {
     struct _Options	copts = oj_default_options;
-    char		*json;
-    size_t		len;
+    char		*json = 0;
+    size_t		len = 0;
     VALUE		input = argv[1];
     if (argc < 2) {
@@ -994,6 +1012,7 @@ void Init_oj() {
     rb_define_module_function(Oj, "mimic_JSON", define_mimic_json, -1);
     rb_define_module_function(Oj, "load", load, -1);
     rb_define_module_function(Oj, "load_file", load_file, -1);
+    rb_define_module_function(Oj, "strict_load", strict_load, 1);
     rb_define_module_function(Oj, "dump", dump, -1);
     rb_define_module_function(Oj, "to_file", to_file, -1);

data/lib/oj/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Oj
   # Current version of the module.
-  VERSION = '2.0.3'
+  VERSION = '2.0.4'
 end

data/test/bug.rb CHANGED

@@ -1 +1,2 @@
-Oj.load('{":s": 1}', :symbol_keys => true)
+Oj.load(%{{"json_class":"#{'x'*1300}"}})

data/test/tests.rb CHANGED

@@ -112,7 +112,7 @@ class Juice < ::Test::Unit::TestCase
     assert_equal({ :indent=>0,
                    :second_precision=>9,
                    :circular=>false,
-                   :auto_define=>true,
+                   :auto_define=>false,
                    :symbol_keys=>false,
                    :ascii_only=>false,
                    :mode=>:object,
@@ -126,7 +126,7 @@ class Juice < ::Test::Unit::TestCase
       :indent=>0,
       :second_precision=>9,
       :circular=>false,
-      :auto_define=>true,
+      :auto_define=>false,
       :symbol_keys=>false,
       :ascii_only=>false,
       :mode=>:object,
@@ -137,7 +137,7 @@ class Juice < ::Test::Unit::TestCase
       :indent=>4,
       :second_precision=>7,
       :circular=>true,
-      :auto_define=>false,
+      :auto_define=>true,
       :symbol_keys=>true,
       :ascii_only=>true,
       :mode=>:compat,
@@ -818,7 +818,7 @@ class Juice < ::Test::Unit::TestCase
   "^o":"Jem",
   "x":true,
   "y":58 }}
-    obj = Oj.load(json, :mode => :object)
+    obj = Oj.load(json, :mode => :object, :auto_define => true)
     assert_equal('Jem', obj.class.name)
     assert_equal(true, obj.x)
     assert_equal(58, obj.y)

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oj
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.0.4
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-02-03 00:00:00.000000000 Z
+date: 2013-02-11 00:00:00.000000000 Z
 dependencies: []
 description: ! 'The fastest JSON parser and object serializer. '
 email: peter@ohler.com
@@ -97,3 +97,4 @@ signing_key:
 specification_version: 3
 summary: A fast JSON parser and serializer.
 test_files: []
+has_rdoc: true