Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oj parsing issue #56

Closed
zimbatm opened this issue Dec 18, 2012 · 2 comments
Closed

Oj parsing issue #56

zimbatm opened this issue Dec 18, 2012 · 2 comments

Comments

@zimbatm
Copy link

zimbatm commented Dec 18, 2012

Oj shouldn't produce symbols when parsing a JSON message:

res = Oj.dump {:a=>'b'} #=> "{\":a\":\"b\"}"
Oj.load(res) #=> {:a => 'b'}

It's wrong because the format never specifies the symbol type which opens unexpected behaviors but more importantly, symbols are never garbage collected which means that an attacker could easily flood a VM with unused objects.
@ohler55
Copy link
Owner

ohler55 commented Dec 19, 2012

That is the behavior in the :object mode. If it is not what you want then use a different mode. You can also change the symbolize_keys option. It is only a vulnerability if you expose it directly to end users in that mode. Don't do that and you will be fine.

@ohler55
Copy link
Owner

ohler55 commented Dec 26, 2012

Closing this issue as it appears it would be fixed by a more careful look at the documentation and there has been no response for a week.

@ohler55 ohler55 closed this as completed Dec 26, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zimbatm @ohler55