Security in JRuby

headius edited this page Jan 9, 2012 · 1 revision
Clone this wiki locally

For now this aggregates some links to security information and a few FAQs.


JRuby versions prior to are affected. JRuby includes a patch to randomize the hash value for String, making this much harder to exploit. Thomas Enebo explained the DOS and fix in more detail at Special JRuby Release

JRuby 1.7 will also include a method that allows you to get the non-seeded hash, for applications that would like a fast String#hash that is predictable. It uses murmurhash with an initial seed hash of 0.

require 'jruby/util'
puts 'foo'.hash, 'foo'.unseeded_hash

Run twice:

system ~/projects/jruby $ jruby unseeded_hash.rb 

system ~/projects/jruby $ jruby unseeded_hash.rb