-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/json: detect circular data structures when encoding #10769
Comments
Isn't it a documented encoding/json limitation? What would be the expected behavior of such program? |
If it is a documented limitation I would strongly expect it to return an informative ERROR - and not go into a glowing hot CPU and then panic. It should be possible to detect these cycles earlier. In this case it's triggered from a Go template -- go template end users don't understand cyclic object graphs until it's spelled out for them. |
The json package says:
The template package says:
So, I guess you are kind of correct when you say that this is a documented limitation ... But one could argue that this opens the html templates up for code injection (DDoS), which the documentation says it protects against. |
I don't think it's reasonable to expect the template package to mitigate all possible forms of pathological input. I'm sure it's possible, but am having a hard time imagining a real program that would allow a user to construct the circular graph that triggers this behaviour. To mitigate this issue we would necessarily complicate and slow down the JSON encoder, which is something we have decided not to do. Thanks for the report. |
Up to you. BTW, this issue was found by a user using a real program. He didn't have to "construct the circular graph", it was there in the context. Maybe it shouldn't have been, but circular refs are very common -- I wouldn't call them "pathological input". |
How could it be anything other than pathological? What is a reasonable way to JSON encode a circular data structure? |
It wouldn't be too hard or slow down the JSON encoder much to catch circular references. (and if we catch one, we can just return an error) I think we can leave this open. |
That I agree about. The Go program in question is Hugo, a static site generator. It uses Go templates. In the template context is the So a person does this in a template (gohugoio/hugo#1123):
And BAM! I would agree that this usage is "pathological", but people do stupid (and some do evil) things. And from Hugo's point of view, to fix this, we must remove the circular reference from |
Change https://golang.org/cl/187920 mentions this issue: |
just return an error if there is a circular reference |
The documentation says:
However, there are still cases result in an infinite recursion in Go 1.15. It seems that 64c9ee9 does not handle cyclic maps or slices: package main
import "encoding/json"
func main() {
x := map[string]interface{}{}
x["x"] = x
json.Marshal(x)
} and package main
import "encoding/json"
func main() {
x := []interface{}{nil}
x[0] = x
json.Marshal(x)
} |
@lujjjh this issue was closed approximately 10 months ago. Would you please raise a new issue if there is a problem in the current release of Go. Thank you. |
quote about circle references check is: // JSON cannot represent cyclic data structures and Marshal does not
// handle them. Passing cyclic structures to Marshal will result in
// an error. it said |
The following program panics.
OS: Linux
Go version: tip and 1.4.2
I searched, but didn't find this in here.
/cc @dvyukov go-fuzz
The text was updated successfully, but these errors were encountered: