From b9e142af529b20720fc34bc5f563e935a7ef7cda Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Wed, 11 Sep 2013 16:52:58 -0700
Subject: Replace JSON.load with JSON.parse, also removed the proc parameter

Since we are dealing with untrusted user input, we should not be
using JSON.load. According to the docs[1]:

BEWARE: This method is meant to serialise data from trusted user
input, like from your own database server or clients under your
control, it could be dangerous to allow untrusted users to pass
JSON sources into it. The default options for the parser can be
changed via the ::load_default_options method.

[1] http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load
---
 activesupport/test/json/decoding_test.rb | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'activesupport/test')

diff --git a/activesupport/test/json/decoding_test.rb b/activesupport/test/json/decoding_test.rb
index 99c5f2d1ec..3ec9b06d6a 100644
--- a/activesupport/test/json/decoding_test.rb
+++ b/activesupport/test/json/decoding_test.rb
@@ -4,6 +4,12 @@ require 'active_support/json'
 require 'active_support/time'
 
 class TestJSONDecoding < ActiveSupport::TestCase
+  class Foo
+    def self.json_create(object)
+      "Foo"
+    end
+  end
+
   TESTS = {
     %q({"returnTo":{"\/categories":"\/"}})        => {"returnTo" => {"/categories" => "/"}},
     %q({"return\\"To\\":":{"\/categories":"\/"}}) => {"return\"To\":" => {"/categories" => "/"}},
@@ -52,7 +58,8 @@ class TestJSONDecoding < ActiveSupport::TestCase
     # tests escaping of "\n" char with Yaml backend
     %q({"a":"\n"})  => {"a"=>"\n"},
     %q({"a":"\u000a"}) => {"a"=>"\n"},
-    %q({"a":"Line1\u000aLine2"}) => {"a"=>"Line1\nLine2"}
+    %q({"a":"Line1\u000aLine2"}) => {"a"=>"Line1\nLine2"},
+    %q({"json_class":"TestJSONDecoding::Foo"}) => {"json_class"=>"TestJSONDecoding::Foo"}
   }
 
   TESTS.each_with_index do |(json, expected), index|
@@ -78,5 +85,11 @@ class TestJSONDecoding < ActiveSupport::TestCase
   def test_failed_json_decoding
     assert_raise(ActiveSupport::JSON.parse_error) { ActiveSupport::JSON.decode(%({: 1})) }
   end
+
+  def test_cannot_force_json_unmarshalling
+    encodeded = %q({"json_class":"TestJSONDecoding::Foo"})
+    decodeded = {"json_class"=>"TestJSONDecoding::Foo"}
+    assert_equal decodeded, ActiveSupport::JSON.decode(encodeded, create_additions: true)
+  end
 end
 
-- 
cgit v1.2.3