Skip to content
Permalink
Browse files

Merge pull request #231 from hanami/announcing-v091

Announcing v0.9.1
  • Loading branch information...
jodosha committed Nov 18, 2016
2 parents f1feb9d + 6a5cb7f commit f5dd3e0a84b4a403b06da715033b5820ff09c353
@@ -212,7 +212,7 @@ def encode_text(text)
end

def hanami_version
'0.9.0'
'0.9.1'
end
end

@@ -0,0 +1,34 @@
---
title: Announcing Hanami v0.9.1
date: 2016-11-18 15:11 UTC
tags: announcements
author: Luca Guidi
image: true
excerpt: >
Security patch for JSON body parsers
---

This is a security patch for [JSON body parsers](/guides/actions/parameters#body-parsers).

## The Problem

JSON body parsing was implemented using `Hanami::Utils::Json.load`, which internally uses `JSON.load`.
According to Ruby docs, `JSON.load` should be used only with trusted data, because it evals the given payload.

Thanks to [Lucas Hosseini](https://github.com/beauby) for spotting this problem.

## The Fix

We introduced `Hanami::Utils::Json.parse`, which is a safe alternative for JSON parsing.
JSON body parser now uses this new method, in order to guaratee a higher level of safety.

## How To Fix Your Project

From the root of your Hanami project: `bundle update hanami`.

## Released Gems

* `hanami-0.9.1`
* `hanami-utils-0.9.1`
* `hanami-router-0.8.1`
* `hanami-validations-0.7.1`
Binary file not shown.
@@ -225,3 +225,45 @@ module Web::Controllers::Signup
end
end
```

## Body Parsers

Rack ignores request bodies unless they come from a form submission.
If we have a JSON endpoint, the payload isn't available in `params`.

```ruby
module Web::Controllers::Books
class Create
include Web::Action
accept :json
def call(params)
puts params.to_h # => {}
end
end
end
```

```shell
curl http://localhost:2300/books \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"book":{"title":"Hanami"}}' \
-X POST
```

In order to make book payload available in `params`, we should enable this feature:

```ruby
# apps/web/application.rb
module Web
class Application < Hanami::Application
configure do
# ...
body_parsers :json
end
end
end
```

Now `params.get(:book, :title)` returns `"Hanami"`.

0 comments on commit f5dd3e0

Please sign in to comment.
You can’t perform that action at this time.