Remove object from the available list of FLUENT_OJ_OPTION_MODE

There is less benefit by this option in actual, and it will instroduce serious security risk since it can execute arbitrary Ruby code. We remove it since keeping it secure is difficult. ref: GHSL-2022-067 Signed-off-by: Takuro Ashie <ashie@clear-code.com>
fluent · Oct 27, 2022 · 48e5b85 · 48e5b85
1 parent d005002
commit 48e5b85
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/fluent/oj_options.rb b/lib/fluent/oj_options.rb
@@ -11,7 +11,7 @@ class OjOptions
 
     ALLOWED_VALUES = {
       'bigdecimal_load': %i[bigdecimal float auto],
-      'mode': %i[strict null compat json rails object custom]
+      'mode': %i[strict null compat json rails custom]
     }
 
     DEFAULTS = {