security: use Oj.safe_load to process json payload

`Oj#load` method is not safe for processing user input and can have serious impacts.
CircuitVerse · Aug 23, 2022 · 7b3023a · 7b3023a
1 parent 55ddeac
commit 7b3023a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/helpers/simulator_helper.rb b/app/helpers/simulator_helper.rb
@@ -23,8 +23,8 @@ def check_to_delete(data_url)
   def sanitize_data(project, data)
     return data if project&.assignment_id.blank? || data.blank?
 
-    data = Oj.load(data)
-    saved_restricted_elements = Oj.load(project.assignment.restrictions)
+    data = Oj.safe_load(data)
+    saved_restricted_elements = Oj.safe_load(project.assignment.restrictions)
     scopes = data["scopes"] || []
 
     parsed_scopes = scopes.each_with_object([]) do |scope, new_scopes|