WingNews logo WingNews
top | item 40781101

(no title)

motrm | 1 year ago

If the pieces of state are all well known at build time - and trusted in terms of their content - it may be feasible to print out JSON 'manually' as it were, instead of needing to use a JSON library,

  print "{"
  print "\"some_state\": \"";
  print GlobalState.Something.to_text();
  print "\", ";
  print "\"count_of_frobs\": ";
  print GlobalState.FrobsCounter;
  print "}";
Whether it's worth doing this just to rid yourself of a dependency... who knows.

discuss

order

Gigachad|1 year ago

This looks like the exact kind of thing that results in unexpected exploits.

Spivak|1 year ago

Hand rolled JSON input processing, yes. Hand rolled JSON output, no.

You're gonna have a hard time exploiting a text file output that happens to be JSON.

syncsynchalt|1 year ago

Even better to just use TSV. Hand-rolling XML or JSON is always a smell to me, even if it's visibly safe.

masklinn|1 year ago

Hand-rolling TSV is no better. The average TSV generator does not pay any mind to data cleaning, and quoting / escaping is non-standard, so what the other wide will do with it is basically playing russian roulette.

Using C0 codes is likely safer at least in the sense that you will probably think to check for those and there is no reason whatsoever for them to be found in user data.

hackernudes|1 year ago

Do you mean TLV (tag-length-value)? I can't figure out what TSV is.

fiedzia|1 year ago

> If the pieces of state are all well known at build time - and trusted in terms of their content

.. than use library, because you should not rely on the assumption that next developer adding one more piece to this code will magically remember to validate it with json spec.

maxbond|1 year ago

No magic necessary. Factor your hand-rolling into a function that returns a string (instead of printing as in the example), and write a test that parses it's return with a proper JSON library. Assert that the parsing was successful and that the extracted values are correct. Ideally you'd use a property test.

mananaysiempre|1 year ago

That’s somewhat better than assembling, say, HTML or SQL out of text fragments, but it’s still not fantastic. A JSON output DSL would be better still—it wouldn’t have to be particularly complicated. (Shame those usually only come paired with parsers, libxo excepted.)