Ruby on Rails contains a flaw that is triggered when handling a to_json call to ActiveModel::Name, which can cause an infinite loop. This may allow a remote attacker to cause a denial of service.
Previously. calling User.model_name.to_json would result in an infinite recursion as .model_name did not respond to the .to_json. This patch fixesthat unexpected behavior by delegating .to_json to the correct handler.
activemodel/lib/active_model/naming.rb
@@ -130,7 +130,7 @@ class Name
#
# Equivalent to +to_s+.
delegate :==, :===, :<=>, :=~, :"!~", :eql?, :to_s,
- :to_str, to: :name
+ :to_str, :as_json, to: :name
# Returns a new ActiveModel::Name instance. By default, the +namespace+
# and +name+ option will take the namespace and name of the given class
activemodel/test/cases/serializers/json_serialization_test.rb
@@ -195,4 +195,8 @@ def @contact.as_json(options = {}); super(options.merge(only: [:name])); end
assert_no_match %r{"awesome":}, json
assert_no_match %r{"preferences":}, json
end
+
+ test "Class.model_name should be json encodable" do
+ assert_match %r{"Contact"}, Contact.model_name.to_json
+ end
end