top | item 46136445

(no title)

tinco | 2 months ago

Unsafe deserialization is a very 2010 Ruby on Rails sort of vulnerability. It is strangely interesting that such a vulnerability was introduced so late in the lifetime of these frameworks. It must be a very sneaky vulnerability given how cautious we have become around deserialization since then.

discuss

Tomuus|2 months ago

The React Server Components wire format (Flight) is relatively novel and very new (it has existed in React stable for just a year). This is not a simple JSON parsing bug.

tinco|2 months ago

The rails bugs weren't about Json parsing, they were deserializing into Ruby objects of classes that had side effects, and those side effects led to RCE possibilities. Since those happened, you'll find any deserialization library, especially in dynamic languages, will have a safe (or conversely unsafe) deserialize function to make it more explicit that there's risks involved.

LunaSea|2 months ago

I'm willing to bet that this is linked to the magic __proto__ object namespace in JavaScript

jazzypants|2 months ago

You win!