Project

General

Profile

Feature #19528

Updated by byroot (Jean Boussier) over 1 year ago

I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use `load` and `dump` as methods, likely inspired from `Marshal` and `YAML`. 

 Because of this it's extremely common to see code that uses `JSON.load` expecting a simple, no surprise, and safe JSON parsing. 

 However that's `JSON.parse`. 

 `JSON.load` has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types: 


 ```ruby 
 >> JSON.load('{ "json_class": "String", "raw": [72, 101, 108, 108, 111] }') 
 => "Hello" 
 ``` 

 It's particularly weird because aside from the `String` extension that is eagerly defined, for other types you have to `require "json/add/core"`. 

 Seasoned Ruby developers know about this of course, and [it is banned by various linters](https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/JSONLoad), but it keeps popping regularly in [gems gems security releases](https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467) releases and such. 

 ### Proposal 

 Assuming entirely removing this feature is not an option, I think `json 2.x` should warn when this feature is actually being used, and `json 3.x` should disable it by default and require users to explicitly use `JSON.load(str, create_additions: true)` to keep the old behavior.

Back