From c3cd2389fee19ba209d99192ceda99b3cd3e5578 Mon Sep 17 00:00:00 2001
From: Martin Brennan <mjrbrennan@gmail.com>
Date: Wed, 15 Jan 2020 11:24:41 +0100
Subject: [PATCH] SECURITY: use strict JSON parsing when parsing backup
 metadata

---
 lib/backup_restore/meta_data_handler.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/backup_restore/meta_data_handler.rb b/lib/backup_restore/meta_data_handler.rb
index e61809a5642..2f11767eb8d 100644
--- a/lib/backup_restore/meta_data_handler.rb
+++ b/lib/backup_restore/meta_data_handler.rb
@@ -19,6 +19,14 @@ module BackupRestore
     def validate
       metadata = extract_metadata
 
+      if metadata[:version].blank?
+        raise MetaDataError.new("Version not defined in metadata file.")
+      end
+
+      if !metadata[:version].is_a?(String) && !metadata[:version].is_a?(Integer)
+        raise MetaDataError.new("Version is not in a valid format.")
+      end
+
       log "Validating metadata..."
       log "  Current version: #{@current_version}"
       log "  Restored version: #{metadata[:version]}"
@@ -50,10 +58,10 @@ module BackupRestore
     end
 
     def load_metadata_file(path)
-      metadata = Oj.load_file(path, symbol_keys: true)
+      metadata = JSON.parse(File.read(path), symbolize_names: true)
       raise MetaDataError.new("Failed to load metadata file.") if metadata.blank?
       metadata
-    rescue Oj::ParseError
+    rescue JSON::ParserError
       raise MetaDataError.new("Failed to parse metadata file.")
     end
   end