From 48e5b85dab1b6d4c273090d538fc11b3f2fd8135 Mon Sep 17 00:00:00 2001
From: Takuro Ashie <ashie@clear-code.com>
Date: Thu, 27 Oct 2022 11:44:28 +0900
Subject: [PATCH 1/2] Remove `object` from the available list of
 `FLUENT_OJ_OPTION_MODE`

There is less benefit by this option in actual, and it will instroduce
serious security risk since it can execute arbitrary Ruby code.
We remove it since keeping it secure is difficult.

ref: GHSL-2022-067

Signed-off-by: Takuro Ashie <ashie@clear-code.com>
---
 lib/fluent/oj_options.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/fluent/oj_options.rb b/lib/fluent/oj_options.rb
index f1c274c119..a76e1f81ba 100644
--- a/lib/fluent/oj_options.rb
+++ b/lib/fluent/oj_options.rb
@@ -11,7 +11,7 @@ class OjOptions
 
     ALLOWED_VALUES = {
       'bigdecimal_load': %i[bigdecimal float auto],
-      'mode': %i[strict null compat json rails object custom]
+      'mode': %i[strict null compat json rails custom]
     }
 
     DEFAULTS = {

From 3c417bb248921305e20ee8b9b3779bcaf24fd330 Mon Sep 17 00:00:00 2001
From: Takuro Ashie <ashie@clear-code.com>
Date: Thu, 27 Oct 2022 11:56:34 +0900
Subject: [PATCH 2/2] Remove `FLUENT_OJ_OPTION_MAX_NESTING`

This option doesn't take effect in actual since the global setting
`Oj.default_options` doesn't accept `max_nesting`. It should be
specified by each instances.

https://github.com/fluent/fluentd/issues/3311#issuecomment-923741031

Signed-off-by: Takuro Ashie <ashie@clear-code.com>
---
 lib/fluent/oj_options.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/fluent/oj_options.rb b/lib/fluent/oj_options.rb
index a76e1f81ba..7ffacdb067 100644
--- a/lib/fluent/oj_options.rb
+++ b/lib/fluent/oj_options.rb
@@ -4,7 +4,6 @@ module Fluent
   class OjOptions
     OPTIONS = {
       'bigdecimal_load': :symbol,
-      'max_nesting': :integer,
       'mode': :symbol,
       'use_to_json': :bool
     }