Project

General

Profile

Actions

Feature #19528

closed

`JSON.load` defaults are surprising (`create_additions: true`)

Added by byroot (Jean Boussier) over 1 year ago. Updated 6 months ago.

Status:
Third Party's Issue
Assignee:
-
Target version:
-
[ruby-core:112866]

Description

I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use load and dump as methods, likely inspired from Marshal and YAML.

Because of this it's extremely common to see code that uses JSON.load expecting a simple, no surprise, and safe JSON parsing.

However that's JSON.parse.

JSON.load has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types:

>> JSON.load('{ "json_class": "String", "raw": [72, 101, 108, 108, 111] }')
=> "Hello"

It's particularly weird because aside from the String extension that is eagerly defined, for other types you have to require "json/add/core".

Seasoned Ruby developers know about this of course, and it is banned by various linters, but it keeps popping regularly in gems security releases and such.

Proposal

Assuming entirely removing this feature is not an option, I think json 2.x should warn when this feature is actually being used, and json 3.x should disable it by default and require users to explicitly use JSON.load(str, create_additions: true) to keep the old behavior.

Actions

Also available in: Atom PDF

Like1
Like0Like0Like0Like0Like0Like0