Fix possible deserialization of untrusted data

There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code. This vulnerability has been assigned the CVE identifier CVE-2023-27531. Carefully crafted JSON data processed by Kredis may result in deserialization of untrusted data, potentially leading to deserialization of unexpected objects in the system. Any applications using Kredis with JSON are affected.
rails · Mar 13, 2023 · d576b7a · d576b7a
1 parent 1c2e3a6
commit d576b7a
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/lib/kredis/type/json.rb b/lib/kredis/type/json.rb
@@ -8,7 +8,7 @@ def type
       end
 
       def cast_value(value)
-        JSON.load(value)
+        JSON.parse(value)
       end
 
       def serialize(value)

diff --git a/test/types/scalar_test.rb b/test/types/scalar_test.rb
@@ -60,6 +60,9 @@ class ScalarTest < ActiveSupport::TestCase
     json = Kredis.json "myscalar"
     json.value = { "one" => 1, "string" => "hello" }
     assert_equal({ "one" => 1, "string" => "hello" }, json.value)
+
+    json.value = {"json_class"=>"String", "raw"=>[97, 98, 99]}
+    assert_equal({"json_class"=>"String", "raw"=>[97, 98, 99]}, json.value)
   end
 
   test "invalid type" do