Skip to content

Commit

Permalink
Deprecate unsafe default options of JSON.load
Browse files Browse the repository at this point in the history
[Feature #19528]

Ref: https://bugs.ruby-lang.org/issues/19528

`load` is understood as the default method for serializer kind of libraries, and
the default options of `JSON.load` has caused many security vulnerabilities over the
years.

The plan is to do like YAML/Psych, deprecate these default options and direct
users toward using `JSON.unsafe_load` so at least it's obvious it should be
used against untrusted data.
  • Loading branch information
byroot committed Oct 24, 2024
1 parent 7f079b2 commit 6e91648
Show file tree
Hide file tree
Showing 9 changed files with 395 additions and 162 deletions.
135 changes: 72 additions & 63 deletions ext/json/ext/parser/parser.c

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions ext/json/ext/parser/parser.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ typedef struct JSON_ParserStruct {
char symbolize_names;
char freeze;
char create_additions;
char deprecated_create_additions;
} JSON_Parser;

#define GET_PARSER \
Expand Down
15 changes: 12 additions & 3 deletions ext/json/ext/parser/parser.rl
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,9 @@ static char *JSON_parse_object(JSON_Parser *json, char *p, char *pe, VALUE *resu
if (!NIL_P(klassname)) {
VALUE klass = rb_funcall(mJSON, i_deep_const_get, 1, klassname);
if (RTEST(rb_funcall(klass, i_json_creatable_p, 0))) {
if (json->deprecated_create_additions) {
rb_warn("JSON.load implicit support for `create_additions: true` is deprecated and will be removed in 3.0, use JSON.unsafe_load or explicitly pass `create_additions: true`");
}
*result = rb_funcall(klass, i_json_create, 1, *result);
}
}
Expand Down Expand Up @@ -783,10 +786,16 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self)
}
tmp = ID2SYM(i_create_additions);
if (option_given_p(opts, tmp)) {
json->create_additions = RTEST(rb_hash_aref(opts, tmp));
} else {
json->create_additions = 0;
tmp = rb_hash_aref(opts, tmp);
if (NIL_P(tmp)) {
json->create_additions = true;
json->deprecated_create_additions = true;
} else {
json->create_additions = RTEST(tmp);
json->deprecated_create_additions = false;
}
}

if (json->symbolize_names && json->create_additions) {
rb_raise(rb_eArgError,
"options :symbolize_names and :create_additions cannot be "
Expand Down
Loading

0 comments on commit 6e91648

Please sign in to comment.