You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Recently I evaluated Gin for use in a personal project. I was surprised to see that the first dependency of Gin is sonic, a JSON serialization/de-serialization package developed by the Chinese company Bytedance.
41% of the Sonic repository is Assembly. Almost every file I viewed used the unsafe package. Given that this package is used to validate user input (probably the most common attack vector), is this not a security concern for users of Gin?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Recently I evaluated Gin for use in a personal project. I was surprised to see that the first dependency of Gin is sonic, a JSON serialization/de-serialization package developed by the Chinese company Bytedance.
41% of the Sonic repository is Assembly. Almost every file I viewed used the
unsafepackage. Given that this package is used to validate user input (probably the most common attack vector), is this not a security concern for users of Gin?Beta Was this translation helpful? Give feedback.
All reactions