Dmytro Shteflyuk created THRIFT-6025:
----------------------------------------
Summary: Ruby client must validate container sizes
Key: THRIFT-6025
URL: https://issues.apache.org/jira/browse/THRIFT-6025
Project: Thrift
Issue Type: Bug
Reporter: Dmytro Shteflyuk
Assignee: Dmytro Shteflyuk
The Ruby library accepts negative size values in protocol and transport read
paths.
In Thrift protocols, strings, binary fields, maps, lists, and sets include a
size value on the wire. If that size is negative, the runtime should reject the
message immediately as invalid input. Ruby was not doing that consistently.
This affects both the pure Ruby implementation and the native C extension
paths. A malformed or hostile payload can declare a negative size and reach
code paths that were written assuming sizes are non-negative.
h2. Scope
Harden Ruby protocol and transport reads so negative sizes are rejected
consistently for:
* binary/string payload sizes
* map sizes
* list sizes
* set sizes
* transport read_all sizes
* generated struct/union container reads
* native accelerated Ruby paths
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
