==== vuln_variant reproduction_steps.sh start 2026-07-02T17:35:52Z ==== [*] ruby=ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu] [*] Reusing existing repo at /data/pruva/project-cache/dc167dac-a6d2-43f6-837d-84c9d571596f/repo (HEAD=495cc38) ========== PHASE 1: VULNERABLE (495cc38, v3.17.2) ========== [*] Checking out VULNERABLE commit 495cc38fc5a02681da2175960d4a667fae48f3c9 [*] VULNERABLE resolved HEAD=495cc38fc5a02681da2175960d4a667fae48f3c9 Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building VULNERABLE C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] VULNERABLE build OK (HEAD=495cc38) [*] Verifying vulnerable form_attr uses buf (not b): 72: id = rb_intern3(buf, len + 1, oj_utf8_encoding); 85: return (VALUE)rb_intern3(buf, len + 1, oj_utf8_encoding); [*] Verifying usual.c form_attr already fixed (uses b): 66: id = rb_intern3(b, len + 1, oj_utf8_encoding); [*] Testing all modes on VULNERABLE version (4 runs each): [vuln] object : leak=1 encoding_error=1 correct=0 [vuln] compat_obj : leak=0 encoding_error=0 correct=1 [vuln] compat_hash : leak=0 encoding_error=0 correct=1 [vuln] rails : leak=0 encoding_error=0 correct=1 [vuln] strict : leak=0 encoding_error=0 correct=1 [vuln] null : leak=0 encoding_error=0 correct=1 [vuln] wab : leak=0 encoding_error=0 correct=1 [vuln] custom : leak=0 encoding_error=0 correct=1 [vuln] np_usual_obj : leak=0 encoding_error=0 correct=1 [vuln] np_usual_hash : leak=0 encoding_error=0 correct=1 [vuln] np_usual_obj_symcache : leak=0 encoding_error=0 correct=1 ========== PHASE 2: FIXED (bbde91a, v3.17.3) ========== [*] Checking out FIXED commit bbde91a679728f94c4492ebc3683f4fa3309049f [*] FIXED resolved HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building FIXED C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] FIXED build OK (HEAD=bbde91a) [*] Verifying fixed form_attr uses b (not buf) in long-key path: 72: id = rb_intern3(b, len + 1, oj_utf8_encoding); [*] Testing all modes on FIXED version (4 runs each): [fixed] object : leak=0 encoding_error=0 correct=1 [fixed] compat_obj : leak=0 encoding_error=0 correct=1 [fixed] compat_hash : leak=0 encoding_error=0 correct=1 [fixed] rails : leak=0 encoding_error=0 correct=1 [fixed] strict : leak=0 encoding_error=0 correct=1 [fixed] null : leak=0 encoding_error=0 correct=1 [fixed] wab : leak=0 encoding_error=0 correct=1 [fixed] custom : leak=0 encoding_error=0 correct=1 [fixed] np_usual_obj : leak=0 encoding_error=0 correct=1 [fixed] np_usual_hash : leak=0 encoding_error=0 correct=1 [fixed] np_usual_obj_symcache : leak=0 encoding_error=0 correct=1 ========== PHASE 3: VARIANT / BYPASS MATRIX ========== MODE | VULN_LEAK | FIXED_LEAK | CLASSIFICATION -----------------------+------------+------------+------------- object | 1 | 0 | covered_by_fix compat_obj | 0 | 0 | not_affected compat_hash | 0 | 0 | not_affected rails | 0 | 0 | not_affected strict | 0 | 0 | not_affected null | 0 | 0 | not_affected wab | 0 | 0 | not_affected custom | 0 | 0 | not_affected np_usual_obj | 0 | 0 | not_affected np_usual_hash | 0 | 0 | not_affected np_usual_obj_symcache | 0 | 0 | not_affected ============================================== VERDICT orig_object_vuln_leak = 1 orig_object_fixed_clean = 1 alt_trigger_found = 0 (mode leaks on vuln but NOT the original object path) bypass_found = 0 (some mode leaks on the FIXED version) ============================================== [*] runtime_manifest.json written [*] Restoring repo to fixed commit bbde91a679728f94c4492ebc3683f4fa3309049f Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Final repo HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f ==== vuln_variant reproduction_steps.sh end 2026-07-02T17:36:21Z ==== [*] No variant/bypass found (exit 1) — fix appears complete ==== vuln_variant reproduction_steps.sh start 2026-07-02T17:36:30Z ==== [*] ruby=ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu] [*] Reusing existing repo at /data/pruva/project-cache/dc167dac-a6d2-43f6-837d-84c9d571596f/repo (HEAD=bbde91a) ========== PHASE 1: VULNERABLE (495cc38, v3.17.2) ========== [*] Checking out VULNERABLE commit 495cc38fc5a02681da2175960d4a667fae48f3c9 [*] VULNERABLE resolved HEAD=495cc38fc5a02681da2175960d4a667fae48f3c9 [*] Building VULNERABLE C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] VULNERABLE build OK (HEAD=495cc38) [*] Verifying vulnerable form_attr uses buf (not b): 72: id = rb_intern3(buf, len + 1, oj_utf8_encoding); 85: return (VALUE)rb_intern3(buf, len + 1, oj_utf8_encoding); [*] Verifying usual.c form_attr already fixed (uses b): 66: id = rb_intern3(b, len + 1, oj_utf8_encoding); [*] Testing all modes on VULNERABLE version (4 runs each): [vuln] object : leak=1 encoding_error=1 correct=0 [vuln] compat_obj : leak=0 encoding_error=0 correct=1 [vuln] compat_hash : leak=0 encoding_error=0 correct=1 [vuln] rails : leak=0 encoding_error=0 correct=1 [vuln] strict : leak=0 encoding_error=0 correct=1 [vuln] null : leak=0 encoding_error=0 correct=1 [vuln] wab : leak=0 encoding_error=0 correct=1 [vuln] custom : leak=0 encoding_error=0 correct=1 [vuln] np_usual_obj : leak=0 encoding_error=0 correct=1 [vuln] np_usual_hash : leak=0 encoding_error=0 correct=1 [vuln] np_usual_obj_symcache : leak=0 encoding_error=0 correct=1 ========== PHASE 2: FIXED (bbde91a, v3.17.3) ========== [*] Checking out FIXED commit bbde91a679728f94c4492ebc3683f4fa3309049f [*] FIXED resolved HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Building FIXED C extension (manual extconf + make) compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so [*] FIXED build OK (HEAD=bbde91a) [*] Verifying fixed form_attr uses b (not buf) in long-key path: 72: id = rb_intern3(b, len + 1, oj_utf8_encoding); [*] Testing all modes on FIXED version (4 runs each): [fixed] object : leak=0 encoding_error=0 correct=1 [fixed] compat_obj : leak=0 encoding_error=0 correct=1 [fixed] compat_hash : leak=0 encoding_error=0 correct=1 [fixed] rails : leak=0 encoding_error=0 correct=1 [fixed] strict : leak=0 encoding_error=0 correct=1 [fixed] null : leak=0 encoding_error=0 correct=1 [fixed] wab : leak=0 encoding_error=0 correct=1 [fixed] custom : leak=0 encoding_error=0 correct=1 [fixed] np_usual_obj : leak=0 encoding_error=0 correct=1 [fixed] np_usual_hash : leak=0 encoding_error=0 correct=1 [fixed] np_usual_obj_symcache : leak=0 encoding_error=0 correct=1 ========== PHASE 3: VARIANT / BYPASS MATRIX ========== MODE | VULN_LEAK | FIXED_LEAK | CLASSIFICATION -----------------------+------------+------------+------------- object | 1 | 0 | covered_by_fix compat_obj | 0 | 0 | not_affected compat_hash | 0 | 0 | not_affected rails | 0 | 0 | not_affected strict | 0 | 0 | not_affected null | 0 | 0 | not_affected wab | 0 | 0 | not_affected custom | 0 | 0 | not_affected np_usual_obj | 0 | 0 | not_affected np_usual_hash | 0 | 0 | not_affected np_usual_obj_symcache | 0 | 0 | not_affected ============================================== VERDICT orig_object_vuln_leak = 1 orig_object_fixed_clean = 1 alt_trigger_found = 0 (mode leaks on vuln but NOT the original object path) bypass_found = 0 (some mode leaks on the FIXED version) ============================================== [*] runtime_manifest.json written [*] Restoring repo to fixed commit bbde91a679728f94c4492ebc3683f4fa3309049f Removing ext/oj/Makefile Removing ext/oj/cache.o Removing ext/oj/cache8.o Removing ext/oj/circarray.o Removing ext/oj/code.o Removing ext/oj/compat.o Removing ext/oj/custom.o Removing ext/oj/debug.o Removing ext/oj/dump.o Removing ext/oj/dump_compat.o Removing ext/oj/dump_leaf.o Removing ext/oj/dump_object.o Removing ext/oj/dump_strict.o Removing ext/oj/err.o Removing ext/oj/fast.o Removing ext/oj/intern.o Removing ext/oj/mem.o Removing ext/oj/mimic_json.o Removing ext/oj/object.o Removing ext/oj/odd.o Removing ext/oj/oj.o Removing ext/oj/oj.so Removing ext/oj/parse.o Removing ext/oj/parser.o Removing ext/oj/rails.o Removing ext/oj/reader.o Removing ext/oj/resolve.o Removing ext/oj/rxclass.o Removing ext/oj/safe.o Removing ext/oj/saj.o Removing ext/oj/saj2.o Removing ext/oj/scp.o Removing ext/oj/sparse.o Removing ext/oj/stream_writer.o Removing ext/oj/strict.o Removing ext/oj/string_writer.o Removing ext/oj/trace.o Removing ext/oj/usual.o Removing ext/oj/util.o Removing ext/oj/val_stack.o Removing ext/oj/validate.o Removing ext/oj/wab.o Removing lib/oj/oj.so [*] Final repo HEAD=bbde91a679728f94c4492ebc3683f4fa3309049f ==== vuln_variant reproduction_steps.sh end 2026-07-02T17:36:56Z ==== [*] No variant/bypass found (exit 1) — fix appears complete