Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Security in JRuby
Clone this wiki locally
For now this aggregates some links to security information and a few FAQs.
- How is JRuby affected by the hash collision DOS
JRuby versions prior to 184.108.40.206 are affected. JRuby 220.127.116.11 includes a patch to randomize the hash value for String, making this much harder to exploit. Thomas Enebo explained the DOS and fix in more detail at Special JRuby Release 18.104.22.168.
JRuby 1.7 will also include a method that allows you to get the non-seeded hash, for applications that would like a fast String#hash that is predictable. It uses murmurhash with an initial seed hash of 0.
require 'jruby/util' puts 'foo'.hash, 'foo'.unseeded_hash
system ~/projects/jruby $ jruby unseeded_hash.rb 265581630 -1880464523 system ~/projects/jruby $ jruby unseeded_hash.rb 1788498603 -1880464523