Ruby: JSON flow summaries #11136
Ruby: JSON flow summaries #11136
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
hmac
force-pushed
the
json-flow-summaries
branch
from
97dcfdc to
fc85996
Compare
hmac
force-pushed
the
json-flow-summaries
branch
from
fc85996 to
a56696f
Compare
There was a problem hiding this comment.
There are a few instance methods for oj that look relevant for flow from the self arg to the return value, e.g. as_json, to_json etc: https://rubydoc.info/gems/oj/JSON/GenericObject Are these in scope for this PR - I recognize that there's probably a ton of potential methods to model that might not be used much in practice.
| row = | ||
| [ | ||
| "json;;Member[JSON].Method[parse,parse!,load,restore];Argument[0];ReturnValue;taint", | ||
| "json;;Member[JSON].Method[generate,fast_generate,dump,unparse,fast_unparse];Argument[0];ReturnValue;taint", |
There was a problem hiding this comment.
| "json;;Member[JSON].Method[generate,fast_generate,dump,unparse,fast_unparse];Argument[0];ReturnValue;taint", | |
| "json;;Member[JSON].Method[generate,fast_generate,pretty_generate,dump,unparse,fast_unparse];Argument[0];ReturnValue;taint", |
That's a good question. As you say, there's a lot of potential methods we should model. My preference is to tackle the obvious low-hanging fruit here, and then tackle the various JSON gems in full later on, as part of general non-rails library modelling. What do you think? |
Sounds like a good approach. |
This import isn't needed.
hmac
force-pushed
the
json-flow-summaries
branch
from
b862c7b to
dab7970
Compare
Add flow summaries for
ActiveSupport::JSONand various JSON methods. We consider JSON parsing and generation to be taint-preserving.