Most active commenters
  • moralestapia(4)

←back to thread

JSON Patch

(zuplo.com)
299 points DataOverload | 14 comments | 17 Oct 24 17:46 UTC | HN request time: 1.219s | source | bottom
Show context
hyperhello ◴[18 Oct 24 16:47 UTC] No.41881157[source]
What’s nice about JSON is that it’s actually valid JavaScript, with some formal specification to avoid any nasty circles or injections.

Why can’t your protocol just be valid JavaScript too? this.name = “string”; instead of mixing so many metaphors?

replies(2): >>41881202 #>>41881252 #
1. royjacobs ◴[18 Oct 24 16:52 UTC] No.41881202[source]
Because that would require consumers to have a Javascript interpreter to use it.
replies(1): >>41881260 #
2. moralestapia ◴[18 Oct 24 16:57 UTC] No.41881260[source]
Because that would require consumers to have an interpreter for the most widely deployed language, ever, and by far.

FTFY

replies(3): >>41881372 #>>41881376 #>>41881821 #
3. yawnxyz ◴[18 Oct 24 17:08 UTC] No.41881372[source]
security nightmare; sometimes you don't want consumers to execute code arbitrarily
replies(3): >>41881442 #>>41881505 #>>41883816 #
4. oguz-ismail ◴[18 Oct 24 17:08 UTC] No.41881376[source]
Nah, in that case Python would be a better option as it's already installed everywhere.
replies(1): >>41881413 #
5. moralestapia ◴[18 Oct 24 17:12 UTC] No.41881413{3}[source]
That is so derangedly untrue.
replies(1): >>41881956 #
6. moralestapia ◴[18 Oct 24 17:15 UTC] No.41881442{3}[source]
Not true. Google, Meta, ... do it at a massive scale, no issues.

It's not really hard to protect yourself against that.

Any (competent) security guy can give you like 4 ways to implement it properly.

replies(2): >>41882391 #>>41884807 #
7. kevin_thibedeau ◴[18 Oct 24 17:20 UTC] No.41881505{3}[source]
This is what makes Tcl great as a data interchange format. It comes with a safe mode for untrusted code and you can further restrict it to have no control flow commands to be non-Turing.
8. royjacobs ◴[18 Oct 24 17:54 UTC] No.41881821[source]
But what's your point? Would you truly want consumers of JSON Patch data to embed a JS interpreter?
replies(1): >>41881846 #
9. moralestapia ◴[18 Oct 24 17:56 UTC] No.41881846{3}[source]
My point is that the JS interpreter is likely already there.
replies(1): >>41888517 #
10. jrockway ◴[18 Oct 24 18:09 UTC] No.41881956{4}[source]
Starlark is a nice embeddable scripting language, though. Java, Go, and Rust implementations: https://github.com/bazelbuild/starlark/blob/master/users.md#...
11. rererereferred ◴[18 Oct 24 18:58 UTC] No.41882391{4}[source]
Do you mean the ads they serve that contain malware?
12. crabmusket ◴[18 Oct 24 21:48 UTC] No.41883816{3}[source]
Ok hear me out, what if my API accepts WASM fragments that I run against my database but in a sandbox!
13. hifromwork ◴[19 Oct 24 00:59 UTC] No.41884807{4}[source]
I am a (hopefully competent) security guy, please don't run arbitrary code if you can help it. Especially for something as trivial as JSON patching.
14. _blk ◴[19 Oct 24 15:53 UTC] No.41888517{4}[source]
only if you think of JSON in the context of a browser. JSON is used as serialized representation of objects in embedded systems, config files, etc. where a JS interpreter is unnecessary, absent or unwanted (size, security, platform preferences, ...)