search

ijl / orjson

Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy
Apache License 2.0
6.29k stars 215 forks source link

Checking kwarg names by identity isn't always safe #501

Closed Dr-Emann closed 4 months ago

Dr-Emann commented 4 months ago

Version: orjson==3.10.6

Example code which fails unexpectedly:

import orjson

kwargs_orig = {"option": orjson.OPT_INDENT_2}
kwargs_new = orjson.loads(orjson.dumps(kwargs_orig))

assert kwargs_orig == kwargs_new

orjson.dumps(None, **kwargs_orig) # "null"
orjson.dumps(None, **kwargs_new)
# ^- TypeError: dumps() got an unexpected keyword argument

This is caused by comparing kwargs by pointer identity, e.g. here: https://github.com/ijl/orjson/blob/4c05bfafdd2613e20b9be994ec3eaa846700a568/src/lib.rs#L343

Python strings should only be compared by identity when both are known to be interned. While kwarg keys are usually interned because they're usually literals, that's not always the case.

Based on the same issue found in ariebovenberg/whenever#149

Dr-Emann commented 4 months ago

Assuming this was auto-closed because of the stale marker: I don't believe this is stale