diff options
author | stuebinm | 2021-11-14 15:55:20 +0100 |
---|---|---|
committer | stuebinm | 2021-11-14 15:56:19 +0100 |
commit | 3c67bd96024e042f377ca74f136a2e3754154a8c (patch) | |
tree | 65dfee7c46e635a3a14394a737d9f40cccf853e3 | |
parent | 03b88da28bb38d42b21ab88087479d9252a40c31 (diff) |
add runtime warning for older Aeson versions
-rw-r--r-- | src/Main.hs | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/Main.hs b/src/Main.hs index d91aee3..5b8b66f 100644 --- a/src/Main.hs +++ b/src/Main.hs @@ -6,17 +6,18 @@ module Main where +import Control.Monad.Identity (Identity) import Data.Aeson (eitherDecode, encode) import Data.Aeson.Encode.Pretty (encodePretty) +import Data.Aeson.KeyMap (coercionToHashMap) import qualified Data.ByteString.Char8 as C8 import qualified Data.ByteString.Lazy as LB import Data.Maybe (fromMaybe) +import System.Exit (exitWith) import WithCli import CheckDir (recursiveCheckDir) -import Control.Monad.Identity (Identity) import LintConfig (LintConfig (..), patch) -import System.Exit (exitWith) import Types (Level (..)) import Util (printPretty) import WriteRepo (writeAdjustedRepository) @@ -46,6 +47,8 @@ main = withCli run run :: Options -> IO () run options = do + aesonWarning + let repo = fromMaybe "." (repository options) let entry = fromMaybe "main.json" (entrypoint options) let level = fromMaybe Suggestion (lintlevel options) @@ -74,3 +77,20 @@ run options = do -- | haskell's many string types are FUN … printLB :: LB.ByteString -> IO () printLB a = putStrLn $ C8.unpack $ LB.toStrict a + + +-- if Aesons's internal map and HashMap are the same type, then coercionToHashMap +-- will contain a proof of that, and we can print a warning. Otherwise we're not +-- using HashMaps in Aeson and everything is fine. +-- +-- cf. https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html +aesonWarning :: IO () +aesonWarning = case coercionToHashMap of + Just _ -> putStrLn + "Warning: this program was compiled using an older version of the Aeson Library\n\ + \used for parsing JSON, which is susceptible to hash flooding attacks.\n\ + \n\ + \Recompiling with a newer version is recommended when handling untrusted inputs.\n\ + \n\ + \See https://cs-syd.eu/posts/2021-09-11-json-vulnerability for details." + _ -> pure () |