From 3c67bd96024e042f377ca74f136a2e3754154a8c Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Sun, 14 Nov 2021 15:55:20 +0100
Subject: [PATCH] add runtime warning for older Aeson versions

---
 src/Main.hs | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/Main.hs b/src/Main.hs
index d91aee3..5b8b66f 100644
--- a/src/Main.hs
+++ b/src/Main.hs
@@ -6,17 +6,18 @@
 
 module Main where
 
+import           Control.Monad.Identity   (Identity)
 import           Data.Aeson               (eitherDecode, encode)
 import           Data.Aeson.Encode.Pretty (encodePretty)
+import           Data.Aeson.KeyMap        (coercionToHashMap)
 import qualified Data.ByteString.Char8    as C8
 import qualified Data.ByteString.Lazy     as LB
 import           Data.Maybe               (fromMaybe)
+import           System.Exit              (exitWith)
 import           WithCli
 
 import           CheckDir                 (recursiveCheckDir)
-import           Control.Monad.Identity   (Identity)
 import           LintConfig               (LintConfig (..), patch)
-import           System.Exit              (exitWith)
 import           Types                    (Level (..))
 import           Util                     (printPretty)
 import           WriteRepo                (writeAdjustedRepository)
@@ -46,6 +47,8 @@ main = withCli run
 
 run :: Options -> IO ()
 run options = do
+  aesonWarning
+
   let repo = fromMaybe "." (repository options)
   let entry = fromMaybe "main.json" (entrypoint options)
   let level = fromMaybe Suggestion (lintlevel options)
@@ -74,3 +77,20 @@ run options = do
 -- | haskell's many string types are FUN …
 printLB :: LB.ByteString -> IO ()
 printLB a = putStrLn $ C8.unpack $ LB.toStrict a
+
+
+-- if Aesons's internal map and HashMap are the same type, then coercionToHashMap
+-- will contain a proof of that, and we can print a warning. Otherwise we're not
+-- using HashMaps in Aeson and everything is fine.
+--
+-- cf. https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html
+aesonWarning :: IO ()
+aesonWarning = case coercionToHashMap of
+  Just _ -> putStrLn
+    "Warning: this program was compiled using an older version of the Aeson Library\n\
+    \used for parsing JSON, which is susceptible to hash flooding attacks.\n\
+    \n\
+    \Recompiling with a newer version is recommended when handling untrusted inputs.\n\
+    \n\
+    \See https://cs-syd.eu/posts/2021-09-11-json-vulnerability for details."
+  _ -> pure ()
-- 
GitLab