Compatibility with aeson 2.x #22
Comments
|
I wouldn't worry much about mitigating DoS just within the haskell-fido2 library. The chances are that a server that uses haskell-fido2 relies on aeson too. Fixing aeson would be the best for the Haskell ecosystem. |
|
Sounds reasonable, so let's not act on it, but keep it in mind |
|
This is fixed in the new aeson release |
|
There's some compilation performance problem with deriving-aeson (which we're using) when using aeson 2.x, see fumieval/deriving-aeson#16. If this isn't fixed soon we'll have to not rely on deriving-aeson so we can update aeson. |
|
This is being worked on by @ErinvanderVeen in https://github.com/tweag/webauthn/tree/aeson-2. We will make sure to have compatibility with both aeson 1.x and 2.x |
|
This has been done with #115, we support both Aeson 1.x and 2.x now |
We're using aeson to decode potentially malicious JSON, which has a known vulnerability that could allow a DoS attack: https://cs-syd.eu/posts/2021-09-11-json-vulnerability. We should look whether this can be exploited in this library, and fix it if so. Issue to track: haskell/aeson#864
The text was updated successfully, but these errors were encountered: