Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-10663 PoC — Ruby JSON gem 输入验证错误漏洞

Source
https://github.com/rails-lts/json_cve_2020_10663
Associated Vulnerability
Title:Ruby JSON gem 输入验证错误漏洞 (CVE-2020-10663)
Description:Ruby JSON gem是一款基于Ruby的用于从文本解析JSON以及从Ruby对象生成JSON文本的软件包。 Ruby JSON gem 2.2.0及之前版本(使用在Ruby 2.4版本至2.4.9版本、2.5版本至2.5.7版本和2.6版本至2.6.5版本)中存在安全漏洞。攻击者可利用该漏洞在目标系统中强制创建任意对象。
Description
Workaround for CVE-2020-10663 (vulnerability in json gem)
Readme
# Workaround for CVE-2020-10663 (vulnerability in json gem)

The `json` gem has a security vulnerability [CVE-2020-10663](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/). When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system.

Users are strongly advised to upgrade to `json` 2.3.0 or later.

For users who cannot upgrade their version of `json`, this gem (`json_cve_2020_10663`) monkey-patches your `json` version against against CVE-2020-10663.

**Note that if you are using current version of Rails 3.2 LTS or 4.2 LTS, this gem is no longer required.**

## Requirements

- Ruby 1.8.7 or later
- `json` 1.7.7 or later, but earlier than 2.3.0.

## Installation

Add this line to your application's `Gemfile`:

```ruby
gem 'json_cve_2020_10663'
```

And then execute:

```
$ bundle
```

Or install it yourself as:

```
$ gem install json_cve_2020_10663
```

Require the gem to patch the `json` gem:

```ruby
require 'json_cve_2020_10663'
```

Note that Rails automatically requires all gems in your `Gemfile` when your app is booted.

You can verify that the patch was applied by running the following code from your application environment:

```ruby
JSON::GenericObject.json_creatable = true
JSON('{"json_class":"JSON::GenericObject"}').class
```

If this returns `Hash`, the patch was applied correctly. If it returns `JSON::GenericObject`, the patch was not loaded.


## Development

After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).

## License

The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
File Snapshot

 [4.0K]  /data/pocs/804e60742313dd8423e85270fac003e9dd52ff3a
├── [4.0K]  bin
│   ├── [ 354]  console
│   └── [ 131]  setup
├── [ 174]  Gemfile
├── [ 694]  Gemfile.lock
├── [1.1K]  json_cve_2020_10663.gemspec
├── [4.0K]  lib
│   ├── [4.0K]  json_cve_2020_10663
│   │   ├── [ 249]  patch.rb
│   │   └── [  51]  version.rb
│   └── [  75]  json_cve_2020_10663.rb
├── [1.1K]  LICENSE.txt
├── [ 117]  Rakefile
├── [2.1K]  README.md
└── [4.0K]  spec
    ├── [1.1K]  json_cve_2020_10663_spec.rb
    └── [ 273]  spec_helper.rb

4 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.