Fix possible deserialization of untrusted data

eileencodes · eileencodes · commit d576b7ae5c8d · 2023-03-13T14:20:22.000-04:00
There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code. This vulnerability has been assigned the CVE identifier CVE-2023-27531. Carefully crafted JSON data processed by Kredis may result in deserialization of untrusted data, potentially leading to deserialization of unexpected objects in the system. Any applications using Kredis with JSON are affected.
diff --git a/lib/kredis/type/json.rb b/lib/kredis/type/json.rb
@@ -8,7 +8,7 @@ def type
       end
 
       def cast_value(value)
-        JSON.load(value)
+        JSON.parse(value)
       end
 
       def serialize(value)
diff --git a/test/types/scalar_test.rb b/test/types/scalar_test.rb
@@ -60,6 +60,9 @@ class ScalarTest < ActiveSupport::TestCase
     json = Kredis.json "myscalar"
     json.value = { "one" => 1, "string" => "hello" }
     assert_equal({ "one" => 1, "string" => "hello" }, json.value)
+
+    json.value = {"json_class"=>"String", "raw"=>[97, 98, 99]}
+    assert_equal({"json_class"=>"String", "raw"=>[97, 98, 99]}, json.value)
   end
 
   test "invalid type" do
