Report on JSON Interoperability—Duplicate Key Handling

michalmuskala / jason

A blazing fast JSON parser and generator in pure Elixir.

Other

1.6k stars 170 forks source link

Report on JSON Interoperability—Duplicate Key Handling #132

Closed halostatue closed 2 years ago

halostatue commented 3 years ago

I was reading an interesting article on JSON interoperability vulnerabilities from Bishop Fox Labs and Jason was one of the tested libraries.

It might be useful to allow the decoder to choose between first-key or last-key on duplicate keys during parsing; I’m not sure how this would be configured in something like Phoenix, Ecto, or Absinthe, but given some of the issues mentioned in the article, this may be worth pursuing.

michalmuskala commented 2 years ago

With 7e25ebb8ecf11bf959f805a767661f1c24c2a8fa this can be handled at application level by decoding with the option objects: :ordered_objects and explicitly picking which element to use or to outright error in case of duplicates.