This is a security patch for JSON body parsers.
JSON body parsing was implemented using
Hanami::Utils::Json.load, which internally uses
According to Ruby docs,
JSON.load should be used only with trusted data, because it evals the given payload.
Thanks to Lucas Hosseini for spotting this problem.
Hanami::Utils::Json.parse, which is a safe alternative for JSON parsing.
JSON body parser now uses this new method, in order to guaratee a higher level of safety.
From the root of your Hanami project:
bundle update hanami.