Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-10663 PoC — Ruby JSON gem 输入验证错误漏洞

Source
https://github.com/rails-lts/json_cve_2020_10663
Associated Vulnerability
Title:Ruby JSON gem 输入验证错误漏洞 (CVE-2020-10663)
Description:The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Description
Workaround for CVE-2020-10663 (vulnerability in json gem)
Readme
# Workaround for CVE-2020-10663 (vulnerability in json gem)

The `json` gem has a security vulnerability [CVE-2020-10663](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/). When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system.

Users are strongly advised to upgrade to `json` 2.3.0 or later.

For users who cannot upgrade their version of `json`, this gem (`json_cve_2020_10663`) monkey-patches your `json` version against against CVE-2020-10663.

**Note that if you are using current version of Rails 3.2 LTS or 4.2 LTS, this gem is no longer required.**

## Requirements

- Ruby 1.8.7 or later
- `json` 1.7.7 or later, but earlier than 2.3.0.

## Installation

Add this line to your application's `Gemfile`:

```ruby
gem 'json_cve_2020_10663'
```

And then execute:

```
$ bundle
```

Or install it yourself as:

```
$ gem install json_cve_2020_10663
```

Require the gem to patch the `json` gem:

```ruby
require 'json_cve_2020_10663'
```

Note that Rails automatically requires all gems in your `Gemfile` when your app is booted.

You can verify that the patch was applied by running the following code from your application environment:

```ruby
JSON::GenericObject.json_creatable = true
JSON('{"json_class":"JSON::GenericObject"}').class
```

If this returns `Hash`, the patch was applied correctly. If it returns `JSON::GenericObject`, the patch was not loaded.


## Development

After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).

## License

The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
File Snapshot

 [4.0K]  /data/pocs/804e60742313dd8423e85270fac003e9dd52ff3a
├── [4.0K]  bin
│   ├── [ 354]  console
│   └── [ 131]  setup
├── [ 174]  Gemfile
├── [ 694]  Gemfile.lock
├── [1.1K]  json_cve_2020_10663.gemspec
├── [4.0K]  lib
│   ├── [4.0K]  json_cve_2020_10663
│   │   ├── [ 249]  patch.rb
│   │   └── [  51]  version.rb
│   └── [  75]  json_cve_2020_10663.rb
├── [1.1K]  LICENSE.txt
├── [ 117]  Rakefile
├── [2.1K]  README.md
└── [4.0K]  spec
    ├── [1.1K]  json_cve_2020_10663_spec.rb
    └── [ 273]  spec_helper.rb

4 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →