kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Replace JSON.load with JSON.parse, also removed the proc parameter

Browse source 
Since we are dealing with untrusted user input, we should not be
using JSON.load. According to the docs[1]:

BEWARE: This method is meant to serialise data from trusted user
input, like from your own database server or clients under your
control, it could be dangerous to allow untrusted users to pass
JSON sources into it. The default options for the parser can be
changed via the ::load_default_options method.

[1] http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load
This commit is contained in:
Godfrey Chan 2013-09-11 16:52:58 -07:00
parent 3d60e9d550
commit b9e142af52
2 changed files with 16 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
activesupport/lib/active_support/json/decoding.rb
View file

@ -13,8 +13,8 @@ module ActiveSupport
#
# ActiveSupport::JSON.decode("{\"team\":\"rails\",\"players\":\"36\"}")
# => {"team" => "rails", "players" => "36"}
def decode(json, proc = nil, options = {})
data = ::JSON.load(json, proc, options)
def decode(json, options = {})
data = ::JSON.parse(json, options.merge(create_additions: false))
if ActiveSupport.parse_json_times
convert_dates_from(data)
else

15
activesupport/test/json/decoding_test.rb
View file

@ -4,6 +4,12 @@ require 'active_support/json'
require 'active_support/time'
class TestJSONDecoding < ActiveSupport::TestCase
class Foo
def self.json_create(object)
"Foo"
end
end
TESTS = {
%q({"returnTo":{"\/categories":"\/"}}) => {"returnTo" => {"/categories" => "/"}},
%q({"return\\"To\\":":{"\/categories":"\/"}}) => {"return\"To\":" => {"/categories" => "/"}},
@ -52,7 +58,8 @@ class TestJSONDecoding < ActiveSupport::TestCase
# tests escaping of "\n" char with Yaml backend
%q({"a":"\n"}) => {"a"=>"\n"},
%q({"a":"\u000a"}) => {"a"=>"\n"},
%q({"a":"Line1\u000aLine2"}) => {"a"=>"Line1\nLine2"}
%q({"a":"Line1\u000aLine2"}) => {"a"=>"Line1\nLine2"},
%q({"json_class":"TestJSONDecoding::Foo"}) => {"json_class"=>"TestJSONDecoding::Foo"}
}
TESTS.each_with_index do |(json, expected), index|
@ -78,5 +85,11 @@ class TestJSONDecoding < ActiveSupport::TestCase
def test_failed_json_decoding
assert_raise(ActiveSupport::JSON.parse_error) { ActiveSupport::JSON.decode(%({: 1})) }
end
def test_cannot_force_json_unmarshalling
encodeded = %q({"json_class":"TestJSONDecoding::Foo"})
decodeded = {"json_class"=>"TestJSONDecoding::Foo"}
assert_equal decodeded, ActiveSupport::JSON.decode(encodeded, create_additions: true)
end
end