[arvados] updated: 2.1.0-2817-g9f80d6faa

git repository hosting git at public.arvados.org
Wed Aug 3 17:32:21 UTC 2022 

Summary of changes:
 services/api/app/controllers/application_controller.rb | 2 +-
 services/api/lib/safe_json.rb                          | 2 +-
 services/api/test/test_helper.rb                       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

       via  9f80d6faad811c24a3c6f72e0c650dd167669ad1 (commit)
      from  93ba5cfb797352306b5472cf2ab3b0519a9c68ba (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 9f80d6faad811c24a3c6f72e0c650dd167669ad1
Author: Tom Clegg <tom at curii.com>
Date:   Wed Aug 3 13:13:46 2022 -0400

    19316: Change Oj.strict_load to its new name, safe_load.
    
    "The Oj.safe_load() method sets and uses the most strict and safest
    options."
    
    https://github.com/ohler55/oj/blob/develop/pages/Security.md
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 4625ef654..6d1a7c9e8 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -348,7 +348,7 @@ class ApplicationController < ActionController::Base
     if @attrs.nil?
       @attrs = {}
     elsif @attrs.is_a? String
-      @attrs = Oj.strict_load @attrs, symbol_keys: true
+      @attrs = Oj.safe_load @attrs, symbol_keys: true
     end
     unless [Hash, ActionController::Parameters].include? @attrs.class
       message = "No #{resource_name}"
diff --git a/services/api/lib/safe_json.rb b/services/api/lib/safe_json.rb
index f78a3d34d..9487804b6 100644
--- a/services/api/lib/safe_json.rb
+++ b/services/api/lib/safe_json.rb
@@ -13,6 +13,6 @@ class SafeJSON
       # https://github.com/ohler55/oj/issues/441)
       return nil
     end
-    Oj.strict_load(s, symbol_keys: false)
+    Oj.safe_load(s, symbol_keys: false)
   end
 end
diff --git a/services/api/test/test_helper.rb b/services/api/test/test_helper.rb
index 843d4f1b2..057c60774 100644
--- a/services/api/test/test_helper.rb
+++ b/services/api/test/test_helper.rb
@@ -38,7 +38,7 @@ require 'mocha/minitest'
 
 module ArvadosTestSupport
   def json_response
-    Oj.strict_load response.body
+    Oj.safe_load response.body
   end
 
   def api_token(api_client_auth_name)

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list