Use JSON.parse to limit exposure

Using `JSON.load` on untrusted input is considered unsafe. While the MIME type definition files would presumably come from a trusted source, there doesn't seem to be a need for the "extra" stuff that `JSON.load` does in here, so switching over to the safer `JSON.parse` API should help to reduce exposure.
mime-types · Oct 14, 2014 · 961846c · 961846c
1 parent 6c75ee5
commit 961846c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/mime/types/loader.rb b/lib/mime/types/loader.rb
@@ -199,7 +199,7 @@ def load_from_yaml(filename)
     # shipped with the mime-types library.
     def load_from_json(filename)
       require 'json'
-      JSON.load(read_file(filename)).map { |type| MIME::Type.new(type) }
+      JSON.parse(read_file(filename)).map { |type| MIME::Type.new(type) }
     end
 
     private