Skip to content

Fix parser and bump version to 0.3.3 #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

Fix parser and bump version to 0.3.3 #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
09893b0
fix parser and add check when deserializing
plenumlab Apr 12, 2023
3840a97
add name
plenumlab Apr 12, 2023
c34f634
___class___ node should not be removed
plenumlab Apr 12, 2023
b1a15c1
revert unwated change
plenumlab Jun 26, 2023
124586e
revert unwated change
plenumlab Jun 26, 2023
7c86afa
revert unwated change
plenumlab Jun 26, 2023
1f53f26
Add tests for unsafe deserialization when ENABLE_MARSHALLING is set t…
plenumlab Aug 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions NEWS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
# News

## 0.3.3

### Fixes

* Fixed a security vulnerability when `ENABLE_MARSHELLING` is set to true

### Thanks

* Hassen DHAHBI(plenum)

## 0.3.2

### Improvements
Expand Down
2 changes: 1 addition & 1 deletion lib/xmlrpc/parser.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ def self.struct(hash)
begin
mod = Module
klass.split("::").each {|const| mod = mod.const_get(const.strip)}

return hash unless mod.included_modules.include?(Marshallable)
obj = mod.allocate

hash.delete "___class___"
Expand Down
25 changes: 25 additions & 0 deletions test/test_marshal.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,13 @@ def initialize(name)
end
end

# for test_load_call_class_not_marshallable
class Person2
attr_reader :name
def initialize(name)
@name = name
end
end

def test1_dump_response
assert_nothing_raised(NameError) {
Expand Down Expand Up @@ -107,5 +114,23 @@ def test_no_params_tag
assert_equal(expect, str)
end

# tests for vulnerability of unsafe deserialization when ENABLE_MARSHALLING is set to true
def test_load_call_class_marshallable
# return of load call should contain an instance of Person
input_xml = %{<?xml version="1.0" ?><methodCall><methodName>myMethod</methodName><params><param><value><struct><member><name>___class___</name><value><string>TestXMLRPC::Test_Marshal::Person</string></value></member><member><name>name</name><value><string>John Doe</string></value></member></struct></value></param></params></methodCall>\n}
m = XMLRPC::Marshal.load_call(input_xml)
assert_kind_of( Person, m[1][0] )
assert_instance_of( Person, m[1][0] )
end

def test_load_call_class_not_marshallable
# return of load call should contain hash instance since Person2 does not include XMLRPC::Marshallable
hash_exp = Hash.new
input_xml = %{<?xml version="1.0" ?><methodCall><methodName>myMethod</methodName><params><param><value><struct><member><name>___class___</name><value><string>TestXMLRPC::Test_Marshal::Person2</string></value></member><member><name>name</name><value><string>John Doe</string></value></member></struct></value></param></params></methodCall>\n}
m= XMLRPC::Marshal.load_call(input_xml)
assert_kind_of( Hash, m[1][0] )
assert_instance_of( Hash, m[1][0] )
end

end
end