1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
ruby--ruby/spec/ruby/security/cve_2020_10663_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

40 lines
1 KiB
Ruby
Raw Normal View History

2020-03-27 19:22:51 -04:00
require_relative '../spec_helper'
require 'json'
module JSONSpecs
class MyClass
def initialize(foo)
@foo = foo
end
def self.json_create(hash)
new(*hash['args'])
end
def to_json(*args)
{ 'json_class' => self.class.name, 'args' => [ @foo ] }.to_json(*args)
end
end
end
guard -> {
JSON.const_defined?(:Pure) or
version_is(JSON::VERSION, '2.3.0')
} do
2022-04-25 08:53:54 -04:00
describe "CVE-2020-10663 is resisted by" do
it "only creating custom objects if passed create_additions: true or using JSON.load" do
obj = JSONSpecs::MyClass.new("bar")
JSONSpecs::MyClass.should.json_creatable?
json = JSON.dump(obj)
2020-03-27 19:22:51 -04:00
2022-04-25 08:53:54 -04:00
JSON.parse(json, create_additions: true).class.should == JSONSpecs::MyClass
JSON(json, create_additions: true).class.should == JSONSpecs::MyClass
JSON.load(json).class.should == JSONSpecs::MyClass
2020-03-27 19:22:51 -04:00
2022-04-25 08:53:54 -04:00
JSON.parse(json).class.should == Hash
JSON.parse(json, nil).class.should == Hash
JSON(json).class.should == Hash
2020-03-27 19:22:51 -04:00
end
end
end