Rails - Feb 2013 - Fixing code affected by Unsafe Object Creation Vulnerability in JSON

With the latest JSON gem 1.7.7, its breaking some of my code because I was 
using:

 {"json_class":"SomeClass","foo":"bar"}

So the it doesn''t recreate the "SomeClass" object back with
the new gem
update, I can make it work by passing in  :create_additions => true but 
that defeats the point of the update. The class has some attribute values 
that are defined by the user''s user_agent and cookie but in the code I 
can''t see a way to create new attribute by the user. 

Simplified version of some of the code:

class SomeClass
  attr_accessor :name, :cookie, :user_agent

  def initialize(params)
    params = params.symbolize_keys
    [''name'', ''coookie'',
''user_agent''].each do |attr_name|
      self.send("#{attr_name}=", params[attr_name])
    end
  end

  def to_json(*a)
    {
      ''json_class''  => self.class.name,
      ''data''        => self.attributes
    }.to_json(*a)
  end

  def self.json_create(o)
    new(o[''data''])
  end
end

What''s the best way to make it work properly? Is it safe to leave it as
it
is and pass in  :create_additions => true?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/8Qg9f6oZhBoJ.
For more options, visit https://groups.google.com/groups/opt_out.

anyone?

On Wednesday, February 13, 2013 12:09:17 PM UTC,
devo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
> With the latest JSON gem 1.7.7, its breaking some of my code because I was 
> using:
>
> 
{"json_class":"SomeClass","foo":"bar"}
>
> So the it doesn''t recreate the "SomeClass" object back
with the new gem
> update, I can make it work by passing in  :create_additions => true but 
> that defeats the point of the update. The class has some attribute values 
> that are defined by the user''s user_agent and cookie but in the
code I
> can''t see a way to create new attribute by the user. 
>
> Simplified version of some of the code:
>
> class SomeClass
>   attr_accessor :name, :cookie, :user_agent
>
>   def initialize(params)
>     params = params.symbolize_keys
>     [''name'', ''coookie'',
''user_agent''].each do |attr_name|
>       self.send("#{attr_name}=", params[attr_name])
>     end
>   end
>
>   def to_json(*a)
>     {
>       ''json_class''  => self.class.name,
>       ''data''        => self.attributes
>     }.to_json(*a)
>   end
>
>   def self.json_create(o)
>     new(o[''data''])
>   end
> end
>
> What''s the best way to make it work properly? Is it safe to leave
it as it
> is and pass in  :create_additions => true?
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/oiK42dMZRK4J.
For more options, visit https://groups.google.com/groups/opt_out.

On 02/14/2013 05:48 AM, devorums-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
wrote:
> anyone?
>
> On Wednesday, February 13, 2013 12:09:17 PM UTC,
devo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
>      With the latest JSON gem 1.7.7, its breaking some of my code because I
was
>      using:
>
>       
{"json_class":"SomeClass","foo":"bar"}
>
>      What''s the best way to make it work properly? Is it safe to
leave it as it
>      is and pass in  :create_additions => true?
JSON#load instead of #parse.  Parse is safe, load is not.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.

Hi Jordon,

Thanks for your reply!

Sorry forgot to mention I am using #parse but that doesn''t make it
safe.
This article shows how parse is used to take advantage of this issue:
http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection

I forgot to mention that I was doing something like this to convert back
the object (which is definitely not right in terms of security):

result = JSON.parse(object, create_additions: true)

Maybe the best option would be to stop serializing/deserializing classes in
general.



On Thu, Feb 14, 2013 at 11:50 AM, Jordon Bedwell
<envygeeks-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
> On 02/14/2013 05:48 AM, devorums-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
wrote:
>
>> anyone?
>>
>> On Wednesday, February 13, 2013 12:09:17 PM UTC,
devo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>>
>>      With the latest JSON gem 1.7.7, its breaking some of my code
because
>> I was
>>      using:
>>
>>       
{"json_class":"SomeClass","**foo":"bar"}
>>
>>      What''s the best way to make it work properly? Is it safe
to leave it
>> as it
>>      is and pass in  :create_additions => true?
>>
>
> JSON#load instead of #parse.  Parse is safe, load is not.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
rubyonrails-talk+unsubscribe@**googlegroups.com<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> To post to this group, send email to
rubyonrails-talk@googlegroups.**com<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> For more options, visit
https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
> .
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.

On 02/14/2013 09:30 AM, forum mail wrote:
> Sorry forgot to mention I am using #parse but that doesn''t make it
safe. This
> article shows how parse is used to take advantage of this issue:
>
http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection
That article shows how parse /was/ used to inject, that was fixed, read 
the security announcements and update your JSON if you still have that 
problem.  Parse was never meant to act like that and it was an oversight 
that was quickly fixed once noticed by somebody.

[10] pry(main)> class MyClass
[10] pry(main)*   def self.json_create(attributes)
[10] pry(main)*     new.tap do |instance|
[10] pry(main)*       attributes.each do |key, value|
[10] pry(main)*         instance.instance_variable_set(
[10] pry(main)*           "@#{key}", value
[10] pry(main)*         )
[10] pry(main)*       end
[10] pry(main)*     end
[10] pry(main)*   end
[10] pry(main)* end;

[12] pry(main)> JSON.parse ''{
[12] pry(main)*   "json_class":"MyClass",
[12] pry(main)*   "name":"My name",
[12] pry(main)*   "title":"Me"
[12] pry(main)* }''
=> {"json_class"=>"MyClass",
"name"=>"My name", "title"=>"Me"}

[13] pry(main)>
[14] pry(main)> JSON.load ''{
[14] pry(main)*   "json_class":"MyClass",
[14] pry(main)*   "name":"My name",
[14] pry(main)*   "title":"Me"
[14] pry(main)* }''
=> #<MyClass:0x0000000284a6a0>

> Maybe the best option would be to stop serializing/deserializing classes in
general.
It depends on what you are serializing it for but I''m not here to
judge,
all I can say is most of the time for what people are doing it for I 
would probably consider it a dumb ass thing to do, but we all do dumb 
ass things so I can''t really hate you or chastise you for it, only warn
that there are probably better ways to go about what you are doing, even 
if it costs you more CPU time in terms of micro seconds that would 
certainly be better.


-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.

Sorry to bother you again about this, your example is great, that''s
what
I''d like to achieve.. It''s old code that I''m trying
to maintain.

However when running it locally in a console I get the following:


Loading development environment (Rails 3.2.11)
1.9.3p194 :001 >  class MyClass
1.9.3p194 :002?>      def self.json_create(attributes)
1.9.3p194 :003?>          new.tap do |instance|
1.9.3p194 :004 >                attributes.each do |key, value|
1.9.3p194 :005 >                    instance.instance_variable_set(
1.9.3p194 :006 >                        "@#{key}", value
1.9.3p194 :007?>                    )
1.9.3p194 :008?>                end
1.9.3p194 :009?>            end
1.9.3p194 :010?>        end
1.9.3p194 :011?>    end;


1.9.3p194 :013 >    JSON.parse ''{
1.9.3p194 :014''>    "json_class":"MyClass",
1.9.3p194 :015''>    "name":"My name",
1.9.3p194 :016''>    "title":"Me"
1.9.3p194 :017''>  }''
 => {"json_class"=>"MyClass",
"name"=>"My name", "title"=>"Me"}

1.9.3p194 :018 >  JSON.load ''{
1.9.3p194 :019''>    "json_class":"MyClass",
1.9.3p194 :020''>    "name":"My name",
1.9.3p194 :021''>    "title":"Me"
1.9.3p194 :022''>  }''
 => {"json_class"=>"MyClass",
"name"=>"My name", "title"=>"Me"}


On Thu, Feb 14, 2013 at 3:49 PM, Jordon Bedwell
<envygeeks-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On 02/14/2013 09:30 AM, forum mail wrote:
>
>> Sorry forgot to mention I am using #parse but that doesn''t
make it safe.
>> This
>> article shows how parse is used to take advantage of this issue:
>> http://www.zweitag.de/en/blog/**ruby-on-rails-vulnerable-to-**
>>
mass-assignment-and-sql-**injection<http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection>
>>
>
> That article shows how parse /was/ used to inject, that was fixed, read
> the security announcements and update your JSON if you still have that
> problem.  Parse was never meant to act like that and it was an oversight
> that was quickly fixed once noticed by somebody.
>
> [10] pry(main)> class MyClass
> [10] pry(main)*   def self.json_create(attributes)
> [10] pry(main)*     new.tap do |instance|
> [10] pry(main)*       attributes.each do |key, value|
> [10] pry(main)*         instance.instance_variable_**set(
> [10] pry(main)*           "@#{key}", value
> [10] pry(main)*         )
> [10] pry(main)*       end
> [10] pry(main)*     end
> [10] pry(main)*   end
> [10] pry(main)* end;
>
> [12] pry(main)> JSON.parse ''{
> [12] pry(main)*   "json_class":"MyClass",
> [12] pry(main)*   "name":"My name",
> [12] pry(main)*   "title":"Me"
> [12] pry(main)* }''
> => {"json_class"=>"MyClass",
"name"=>"My name", "title"=>"Me"}
>
> [13] pry(main)>
> [14] pry(main)> JSON.load ''{
> [14] pry(main)*   "json_class":"MyClass",
> [14] pry(main)*   "name":"My name",
> [14] pry(main)*   "title":"Me"
> [14] pry(main)* }''
> => #<MyClass:0x0000000284a6a0>
>
>
>
>  Maybe the best option would be to stop serializing/deserializing classes
>> in general.
>>
>
> It depends on what you are serializing it for but I''m not here to
judge,
> all I can say is most of the time for what people are doing it for I would
> probably consider it a dumb ass thing to do, but we all do dumb ass things
> so I can''t really hate you or chastise you for it, only warn that
there are
> probably better ways to go about what you are doing, even if it costs you
> more CPU time in terms of micro seconds that would certainly be better.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
rubyonrails-talk+unsubscribe@**googlegroups.com<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> To post to this group, send email to
rubyonrails-talk@googlegroups.**com<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> For more options, visit
https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
> .
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.