Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't pass non-array-or-object roots to JSON.generate() #1

Merged
merged 1 commit into from
Jul 8, 2016
Merged

Don't pass non-array-or-object roots to JSON.generate() #1

merged 1 commit into from
Jul 8, 2016

Conversation

pda
Copy link
Owner

@pda pda commented Jul 8, 2016

If json_pure v2.x is loaded, JSON.generate and JSON.dump reject invalid (non-array, non-object) root level objects. This PR works around this without breaking existing signatures by wrapping invalid root values in an array and then stripping the resulting brackets before input to the HMAC function. It only changes how the HMAC input is generated; it does not change how the final data is encoded.

Previously, without json_pure:

$ docker run ruby:2.3.1 \
    bash -c "gem install signed_json && ruby -e 'require \"signed_json\"; puts SignedJson::Signer.new(\"secret\").encode(nil)'"
Successfully installed signed_json-2.0.0
1 gem installed
["546b281dfcf7e69a4dbcb6a5001929585d65c7d7",null]

Previously, with json_pure v2.0.1:

$ docker run ruby:2.3.1 \
    bash -c "gem install json_pure signed_json && ruby -r json/pure -r signed_json -e 'puts SignedJson::Signer.new(\"secret\").encode(nil)'"
Successfully installed json_pure-2.0.1
Successfully installed signed_json-2.0.0
2 gems installed
/usr/local/bundle/gems/json_pure-2.0.1/lib/json/common.rb:224:in `generate': only generation of JSON objects or arrays allowed (JSON::GeneratorError)
        from /usr/local/bundle/gems/json_pure-2.0.1/lib/json/common.rb:224:in `generate'
        from /usr/local/bundle/gems/json_pure-2.0.1/lib/json/common.rb:394:in `dump'
        from /usr/local/bundle/gems/signed_json-2.0.0/lib/signed_json.rb:50:in `json_generate'
        from /usr/local/bundle/gems/signed_json-2.0.0/lib/signed_json.rb:29:in `digest_for'
        from /usr/local/bundle/gems/signed_json-2.0.0/lib/signed_json.rb:13:in `encode'
        from -e:1:in `<main>'

@pda
Don't pass non-array-or-object roots to JSON.generate()
0000466 
If json_pure v2.x is loaded, JSON.generate and JSON.dump reject invalid
(non-array, non-object) root level objects. Work around this without
breaking existing signatures.
@pda pda merged commit 34adbd9 into master Jul 8, 2016
@pda pda deleted the fix-json-pure branch July 8, 2016 04:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@pda