Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Oj parsing issue #56

Closed
zimbatm opened this Issue · 2 comments

2 participants

@zimbatm

Oj shouldn't produce symbols when parsing a JSON message:

res = Oj.dump {:a=>'b'} #=> "{\":a\":\"b\"}"
Oj.load(res) #=> {:a => 'b'}

It's wrong because the format never specifies the symbol type which opens unexpected behaviors but more importantly, symbols are never garbage collected which means that an attacker could easily flood a VM with unused objects.

@ohler55
Owner

That is the behavior in the :object mode. If it is not what you want then use a different mode. You can also change the symbolize_keys option. It is only a vulnerability if you expose it directly to end users in that mode. Don't do that and you will be fine.

@ohler55
Owner

Closing this issue as it appears it would be fixed by a more careful look at the documentation and there has been no response for a week.

@ohler55 ohler55 closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.