You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package in which HashMap is defined: Unordered containers specifically mentions: "This package currently provides no defenses against hash collision attacks such as HashDoS. Users who need to store input from untrusted sources are advised to use Data.Map or Data.Set from the containers package instead."
As a result, Anyone who uses any of these functions is vulnerable:
This type uses a HashMap: https://hackage.haskell.org/package/http-api-data-0.4.3/docs/Web-FormUrlEncoded.html#t:Form
The package in which
HashMapis defined: Unordered containers specifically mentions: "This package currently provides no defenses against hash collision attacks such as HashDoS. Users who need to store input from untrusted sources are advised to use Data.Map or Data.Set from the containers package instead."As a result, Anyone who uses any of these functions is vulnerable:
This includes a bunch of packages, including servant, see
More details about a similar issue here: https://cs-syd.eu/posts/2021-09-11-json-vulnerability
Proposed fix: Use
Mapinstead ofHashMap.The text was updated successfully, but these errors were encountered: