Feature #19528
Updated by byroot (Jean Boussier) over 1 year ago
I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use `load` and `dump` as methods, likely inspired from `Marshal` and `YAML`.
Because of this it's extremely common to see code that uses `JSON.load` expecting a simple, no surprise, and safe JSON parsing.
However that's `JSON.parse`.
`JSON.load` has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types:
```ruby
>> JSON.load('{ "json_class": "String", "raw": [72, 101, 108, 108, 111] }')
=> "Hello"
```
It's particularly weird because aside from the `String` extension that is eagerly defined, for other types you have to `require "json/add/core"`.
Seasoned Ruby developers know about this of course, and [it is banned by various linters](https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/JSONLoad), but it keeps popping regularly in [gems gems security releases](https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467) releases and such.
### Proposal
Assuming entirely removing this feature is not an option, I think `json 2.x` should warn when this feature is actually being used, and `json 3.x` should disable it by default and require users to explicitly use `JSON.load(str, create_additions: true)` to keep the old behavior.