Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
encoding/json: detect circular data structures when encoding #10769
The following program panics.
I searched, but didn't find this in here.
/cc @dvyukov go-fuzz
If it is a documented limitation I would strongly expect it to return an informative ERROR - and not go into a glowing hot CPU and then panic.
It should be possible to detect these cycles earlier.
In this case it's triggered from a Go template -- go template end users don't understand cyclic object graphs until it's spelled out for them.
The json package says:
The template package says:
So, I guess you are kind of correct when you say that this is a documented limitation ... But one could argue that this opens the html templates up for code injection (DDoS), which the documentation says it protects against.
I don't think it's reasonable to expect the template package to mitigate all possible forms of pathological input. I'm sure it's possible, but am having a hard time imagining a real program that would allow a user to construct the circular graph that triggers this behaviour.
To mitigate this issue we would necessarily complicate and slow down the JSON encoder, which is something we have decided not to do.
Thanks for the report.
Up to you.
BTW, this issue was found by a user using a real program. He didn't have to "construct the circular graph", it was there in the context. Maybe it shouldn't have been, but circular refs are very common -- I wouldn't call them "pathological input".
That I agree about.
The Go program in question is Hugo, a static site generator. It uses Go templates. In the template context is the
So a person does this in a template (gohugoio/hugo#1123):
I would agree that this usage is "pathological", but people do stupid (and some do evil) things.
And from Hugo's point of view, to fix this, we must remove the circular reference from