Description
Blog post: https://cs-syd.eu/posts/2021-09-11-json-vulnerability
The biggest problem exposed by this blog post is that any third-party code using hash (using the default salt) that has problems with hash collisions can have malicious input constructed beforehand. The -frandom-init-seed flag helps with this at the cost of a different seed every start up.
One quick fix that can help mitigate this is to allow reading an environment variable like HASHABLE_DEFAULT_SALT with unsafePerformIO that one can set differently for their application. This has the advantage that my application can hash things with a different salt than the default, publicly available one, so an attacker attacking my application can't reuse malicious values from attacking another application. It would also be difficult to construct malicious input if my application's default salt isn't shared, and my application doesn't easily expose the default salt in any way.
Related: