OJ is not as safe as you think for your JSON

JSON parsing and generation are critical components in modern web applications. While OJ (Optimized JSON) is widely praised for its performance benefits in the Ruby ecosystem, there are important security and stability considerations that experienced engineers should be aware of.

Understanding the risks - Monkey patching concerns

When using Oj.mimic_JSON or Oj.optimize_rails, you're essentially replacing core JSON functionality. This can lead to unexpected behaviors, particularly around security features. Here's a concrete example:

# Standard JSON behavior
puts JSON.generate("</h1>", script_safe: true) # => "<\/h1>"

# OJ behavior
Oj.mimic_JSON
puts JSON.generate("</h1>", script_safe: true) # => "</h1>"

The script_safe option gets silently ignored by OJ, potentially exposing applications to XSS vulnerabilities. Time precision inconsistencies OJ can introduce subtle serialization differences:

ActiveSupport::JSON::Encoding.time_precision = 0
t = Time.now
# standard behavior
puts ActiveSupport::JSON.encode(t) # => "2025-02-01T10:37:12+01:00"

# oj behavior
require 'oj'
Oj.optimize_rails
Oj.mimic_JSON
puts ActiveSupport::JSON.encode(t) # => "2025-02-01T10:37:12.389+01:00"

Stability concerns

OJ has been a significant source of Ruby VM crashes in production environments. While the gem is actively maintained, its native C implementation contains complex memory management code that can lead to stability issues.

Best practices

  1. Careful evaluation - before adopting OJ for performance gains, thoroughly evaluate if the speed improvement justifies the potential risks.
  2. Testing strategy - implement comprehensive testing around JSON serialization, particularly focusing on:
    1. Security-sensitive data
    2. Time/date handling
    3. Unicode character encoding
    4. Large payload processing
  3. Monitoring - set up proper tracking for JSON-related errors and crashes when using OJ in production.

Summary

While OJ offers impressive performance benefits, its use comes with significant trade-offs regarding security and stability. Engineers should carefully weigh these factors against their specific use cases.

Happy JSONing!