Git Product home page Git Product logo

Comments (4)

sferik avatar sferik commented on August 16, 2024

Try upgrading to 1.6.0.

from multi_json.

phoet avatar phoet commented on August 16, 2024

see this discussion here: flori/json#159

from multi_json.

flori avatar flori commented on August 16, 2024

Is there a distinction in between safe and unsafe methods for JSON deserialisation in MultiJson? The main problem with the recent security problems in Rails seems to be that there is no clear distinction between safe and unsafe interfaces to do this.

There are two major use cases why someone would want to deserialise something:

  • Loading for example a configuration or a database record from a trusted source (can be unsafe),
  • Parsing a message from a web client, etc., that is an untrusted source (should be very safe, that is prohibiting DOS attacks, injections, etc.).

The problem is how people can be directed to use the safe way when they don't bother thinking about the security implications, while still allowing people to do the unsafe things, if they really want to. The latter way should be cumbersome or deterrent enough, so the former group of people can never coincidentally stumble upon it.

from multi_json.

phoet avatar phoet commented on August 16, 2024

i think that there is no distinction in MultiJson for this purpose.

our problem is, that we use it talk to our "trusted" couchdb and handle object serialization while it also supports "untrusted" json requests from webclients...

nevertheless, i think that these security updates should manifest in minor or even mayor version updates.
jsongem fix version update from 1.7.6 to 1.7.7 breaks our whole app and there is no way of configuring it to work like before.

the same is true for OJ. MultiJson does not allow :compat mode, so deserialization is completele disabled:
https://github.com/intridea/multi_json/blob/master/lib/multi_json/adapters/oj.rb#L19

from multi_json.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.