Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Oj parsing issue #56

zimbatm opened this Issue · 2 comments

2 participants


Oj shouldn't produce symbols when parsing a JSON message:

res = Oj.dump {:a=>'b'} #=> "{\":a\":\"b\"}"
Oj.load(res) #=> {:a => 'b'}

It's wrong because the format never specifies the symbol type which opens unexpected behaviors but more importantly, symbols are never garbage collected which means that an attacker could easily flood a VM with unused objects.


That is the behavior in the :object mode. If it is not what you want then use a different mode. You can also change the symbolize_keys option. It is only a vulnerability if you expose it directly to end users in that mode. Don't do that and you will be fine.


Closing this issue as it appears it would be fixed by a more careful look at the documentation and there has been no response for a week.

@ohler55 ohler55 closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.