From: "mame (Yusuke Endoh) via ruby-core" Date: 2023-04-14T01:28:52+00:00 Subject: [ruby-core:113235] [Ruby master Feature#19528] `JSON.load` defaults are surprising (`create_additions: true`) Issue #19528 has been updated by mame (Yusuke Endoh). We discussed this at the dev meeting. First of all, json upstream is https://github.com/flori/json. No one at the dev meeting has its ownership. So the following is just an opinion. None of the attendees of the dev meeting were against making this safe by default. @naruse suggested the following migration path. * Calling `JSON.load` without `create_additions` keyword should be warned as "`Use JSON.parse instead of JSON.load`" * If a user does not need object deserialization feature (we guess this is a major case), `JSON.parse` is good enough. * Otherwise, they should opt-in the feature by adding `create_additions: true`. * After some period, we can change the default to `create_additions: false`. @matsuda said the name `create_additions` is incomprehensible and he would like another good name. @akr suggested `JSON.unsafe_load`. ---------------------------------------- Feature #19528: `JSON.load` defaults are surprising (`create_additions: true`) https://bugs.ruby-lang.org/issues/19528#change-102783 * Author: byroot (Jean Boussier) * Status: Open * Priority: Normal ---------------------------------------- I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use `load` and `dump` as methods, likely inspired from `Marshal` and `YAML`. Because of this it's extremely common to see code that uses `JSON.load` expecting a simple, no surprise, and safe JSON parsing. However that's `JSON.parse`. `JSON.load` has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types: ```ruby >> JSON.load('{ "json_class": "String", "raw": [72, 101, 108, 108, 111] }') => "Hello" ``` It's particularly weird because aside from the `String` extension that is eagerly defined, for other types you have to `require "json/add/core"`. Seasoned Ruby developers know about this of course, and [it is banned by various linters](https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/JSONLoad), but it keeps popping regularly in [gems security releases](https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467) and such. ### Proposal Assuming entirely removing this feature is not an option, I think `json 2.x` should warn when this feature is actually being used, and `json 3.x` should disable it by default and require users to explicitly use `JSON.load(str, create_additions: true)` to keep the old behavior. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/