Update standard render: use own dicts serializer instead of json.dump #69
Conversation
![entelligence-ai-pr-reviews[bot]](https://avatars.githubusercontent.com/in/932812?s=60&v=4){kind=small}
| if obj is None: | ||
| return "null" | ||
|
|
||
| if isinstance(obj, bool): |
There was a problem hiding this comment.
Security: The dump_json() function lacks circular reference detection, making it vulnerable to infinite recursion attacks that could crash the application.
📝 Committable Code Suggestion
‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| if isinstance(obj, bool): | |
| def dump_json(obj, _seen=None, _depth=0, max_depth=100) -> str: | |
| ''' | |
| Secure version of dump_json with circular reference detection and recursion limits. | |
| Serializes Python objects to JSON with single quotes for strings. | |
| ''' | |
| # Initialize seen set for first call | |
| if _seen is None: | |
| _seen = set() | |
| # Check recursion depth | |
| if _depth > max_depth: | |
| raise RecursionError(f"Maximum recursion depth exceeded ({max_depth})") | |
| # Handle None | |
| if obj is None: | |
| return 'null' | |
| # Handle basic types | |
| if isinstance(obj, (int, float, bool)): | |
| return str(obj).lower() | |
| # Handle strings | |
| if isinstance(obj, str): | |
| # Escape single quotes and backslashes | |
| escaped = obj.replace("\\", "\\\\").replace("'", "\\'") | |
| return f"'{escaped}'" | |
| # Handle lists | |
| if isinstance(obj, (list, tuple)): | |
| items = [] | |
| for item in obj: | |
| items.append(dump_json(item, _seen.copy(), _depth + 1, max_depth)) | |
| return f"[{', '.join(items)}]" | |
| # Handle dictionaries | |
| if isinstance(obj, dict): | |
| # Check for circular references | |
| obj_id = id(obj) | |
| if obj_id in _seen: | |
| raise ValueError("Circular reference detected in object") | |
| _seen.add(obj_id) | |
| items = [] | |
| for key, value in obj.items(): | |
| key_str = dump_json(key, _seen.copy(), _depth + 1, max_depth) | |
| value_str = dump_json(value, _seen.copy(), _depth + 1, max_depth) | |
| items.append(f"{key_str}: {value_str}") | |
| return f"{{{', '.join(items)}}}" | |
| # Handle other objects by converting to string | |
| try: | |
| # Limit string size to prevent DoS | |
| obj_str = str(obj) | |
| if len(obj_str) > 10000: # Reasonable limit | |
| obj_str = obj_str[:10000] + "...(truncated)" | |
| return f"'{obj_str}'" | |
| except Exception as e: | |
| return f"'<Object representation error: {str(e)}>'" | |
| if obj is None: | ||
| return "null" | ||
|
|
||
| if isinstance(obj, bool): |
There was a problem hiding this comment.
Security: No limits on output size or input validation for malicious objects, allowing memory exhaustion attacks through objects with malicious str methods.
| return content | ||
|
|
||
|
|
||
| def unquote(s, is_double_quoted=False): |
There was a problem hiding this comment.
Correctness: The new unquote() function processes escape sequences differently than the old inline implementation, potentially breaking existing code with backslash-containing strings.
| if obj is None: | ||
| return "null" | ||
|
|
||
| if isinstance(obj, bool): |
There was a problem hiding this comment.
Style: Inconsistent docstring format in dump_json() function
| if obj is None: | ||
| return "null" | ||
|
|
||
| if isinstance(obj, bool): |
There was a problem hiding this comment.
Performance: String concatenation in dump_json() could use list joining for better performance
| return content | ||
|
|
||
|
|
||
| def unquote(s, is_double_quoted=False): |
There was a problem hiding this comment.
Performance: Multiple string replacements in unquote() could be optimized
Quoting rules for string content of the parser:
But standart render used json.dump. It added more qouted symbols that were parsed incorrectly, for example: