I'm observing the existence of several production servers that are buggy because the json.Decoder.Decode API lends itself to misuse.
Consider the following:
r := strings.NewReader("{} bad data")
var m map[string]interface{}
d := json.NewDecoder(r)
if err := d.Decode(&m); err != nil {
panic(err) // not triggered
}
json.NewDecoder is often used because the user has an io.Reader on hand or wants to configure some of the options on json.Decoder. However, the common case is that the user only wants to decode a single JSON value. As it stands the API does not make the common case easy since Decode is designed with the assumption that the user will continue to decode more JSON values, which is rarely the case.
The code above executes just fine without reporting an error and silently allows the decoder to silently accept bad input without reporting any problems.
mvdan, jimmyfrasche, daved, quasilyte, UFOXD and 19 moreainar-g, igoose1, pratikmallya, jasikpark, Splizard and 3 more
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4