From d576b7ae5c8d3d74eeb4bd84cad0aa64ffc299fa Mon Sep 17 00:00:00 2001
From: eileencodes <eileencodes@gmail.com>
Date: Mon, 13 Mar 2023 14:16:42 -0400
Subject: [PATCH] Fix possible deserialization of untrusted data

There is a deserialization of untrusted data vulnerability in the Kredis
JSON deserialization code. This vulnerability has been assigned the CVE
identifier CVE-2023-27531.

Carefully crafted JSON data processed by Kredis may result in
deserialization of untrusted data, potentially leading to deserialization
of unexpected objects in the system.

Any applications using Kredis with JSON are affected.
---
 lib/kredis/type/json.rb   | 2 +-
 test/types/scalar_test.rb | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/kredis/type/json.rb b/lib/kredis/type/json.rb
index 4183d5f..d78b604 100644
--- a/lib/kredis/type/json.rb
+++ b/lib/kredis/type/json.rb
@@ -8,7 +8,7 @@ def type
       end
 
       def cast_value(value)
-        JSON.load(value)
+        JSON.parse(value)
       end
 
       def serialize(value)
diff --git a/test/types/scalar_test.rb b/test/types/scalar_test.rb
index 03a3ddc..53192e4 100644
--- a/test/types/scalar_test.rb
+++ b/test/types/scalar_test.rb
@@ -60,6 +60,9 @@ class ScalarTest < ActiveSupport::TestCase
     json = Kredis.json "myscalar"
     json.value = { "one" => 1, "string" => "hello" }
     assert_equal({ "one" => 1, "string" => "hello" }, json.value)
+
+    json.value = {"json_class"=>"String", "raw"=>[97, 98, 99]}
+    assert_equal({"json_class"=>"String", "raw"=>[97, 98, 99]}, json.value)
   end
 
   test "invalid type" do