Most active commenters
  • moralestapia(4)

←back to thread

JSON Patch

(zuplo.com)
299 points DataOverload | 17 comments | 17 Oct 24 17:46 UTC | HN request time: 1.237s | source | bottom
1. hyperhello ◴[18 Oct 24 16:47 UTC] No.41881157[source]
What’s nice about JSON is that it’s actually valid JavaScript, with some formal specification to avoid any nasty circles or injections.

Why can’t your protocol just be valid JavaScript too? this.name = “string”; instead of mixing so many metaphors?

replies(2): >>41881202 #>>41881252 #
2. royjacobs ◴[18 Oct 24 16:52 UTC] No.41881202[source]
Because that would require consumers to have a Javascript interpreter to use it.
replies(1): >>41881260 #
3. tablatom ◴[18 Oct 24 16:57 UTC] No.41881252[source]
> Why can’t your protocol just be valid JavaScript too?

It is.

replies(1): >>41881301 #
4. moralestapia ◴[18 Oct 24 16:57 UTC] No.41881260[source]
Because that would require consumers to have an interpreter for the most widely deployed language, ever, and by far.

FTFY

replies(3): >>41881372 #>>41881376 #>>41881821 #
5. hyperhello ◴[18 Oct 24 17:01 UTC] No.41881301[source]
It’s delivered in JSON, but you need an interpreter. But the actions are just JS assignment statements and a little glue. Your interpreter could as easily handle that, and with far less bytes. Why call a member variable /name when it’s already .name?
6. yawnxyz ◴[18 Oct 24 17:08 UTC] No.41881372{3}[source]
security nightmare; sometimes you don't want consumers to execute code arbitrarily
replies(3): >>41881442 #>>41881505 #>>41883816 #
7. oguz-ismail ◴[18 Oct 24 17:08 UTC] No.41881376{3}[source]
Nah, in that case Python would be a better option as it's already installed everywhere.
replies(1): >>41881413 #
8. moralestapia ◴[18 Oct 24 17:12 UTC] No.41881413{4}[source]
That is so derangedly untrue.
replies(1): >>41881956 #
9. moralestapia ◴[18 Oct 24 17:15 UTC] No.41881442{4}[source]
Not true. Google, Meta, ... do it at a massive scale, no issues.

It's not really hard to protect yourself against that.

Any (competent) security guy can give you like 4 ways to implement it properly.

replies(2): >>41882391 #>>41884807 #
10. kevin_thibedeau ◴[18 Oct 24 17:20 UTC] No.41881505{4}[source]
This is what makes Tcl great as a data interchange format. It comes with a safe mode for untrusted code and you can further restrict it to have no control flow commands to be non-Turing.
11. royjacobs ◴[18 Oct 24 17:54 UTC] No.41881821{3}[source]
But what's your point? Would you truly want consumers of JSON Patch data to embed a JS interpreter?
replies(1): >>41881846 #
12. moralestapia ◴[18 Oct 24 17:56 UTC] No.41881846{4}[source]
My point is that the JS interpreter is likely already there.
replies(1): >>41888517 #
13. jrockway ◴[18 Oct 24 18:09 UTC] No.41881956{5}[source]
Starlark is a nice embeddable scripting language, though. Java, Go, and Rust implementations: https://github.com/bazelbuild/starlark/blob/master/users.md#...
14. rererereferred ◴[18 Oct 24 18:58 UTC] No.41882391{5}[source]
Do you mean the ads they serve that contain malware?
15. crabmusket ◴[18 Oct 24 21:48 UTC] No.41883816{4}[source]
Ok hear me out, what if my API accepts WASM fragments that I run against my database but in a sandbox!
16. hifromwork ◴[19 Oct 24 00:59 UTC] No.41884807{5}[source]
I am a (hopefully competent) security guy, please don't run arbitrary code if you can help it. Especially for something as trivial as JSON patching.
17. _blk ◴[19 Oct 24 15:53 UTC] No.41888517{5}[source]
only if you think of JSON in the context of a browser. JSON is used as serialized representation of objects in embedded systems, config files, etc. where a JS interpreter is unnecessary, absent or unwanted (size, security, platform preferences, ...)