From 48e5b85dab1b6d4c273090d538fc11b3f2fd8135 Mon Sep 17 00:00:00 2001
From: Takuro Ashie <ashie@clear-code.com>
Date: Thu, 27 Oct 2022 11:44:28 +0900
Subject: [PATCH] Remove `object` from the available list of
 `FLUENT_OJ_OPTION_MODE`

There is less benefit by this option in actual, and it will instroduce
serious security risk since it can execute arbitrary Ruby code.
We remove it since keeping it secure is difficult.

ref: GHSL-2022-067

Signed-off-by: Takuro Ashie <ashie@clear-code.com>
---
 lib/fluent/oj_options.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/fluent/oj_options.rb b/lib/fluent/oj_options.rb
index f1c274c119..a76e1f81ba 100644
--- a/lib/fluent/oj_options.rb
+++ b/lib/fluent/oj_options.rb
@@ -11,7 +11,7 @@ class OjOptions
 
     ALLOWED_VALUES = {
       'bigdecimal_load': %i[bigdecimal float auto],
-      'mode': %i[strict null compat json rails object custom]
+      'mode': %i[strict null compat json rails custom]
     }
 
     DEFAULTS = {