Issue #19528 has been updated by Eregon (Benoit Daloze).
@duerst Yes, that's for psych where YAML.load became safe.
@mame One issue with the above is it would make usages of `JSON.load` which don't
intend to deserialize objects have to change to `JSON.parse`, which feels a bit
suboptimal.
I would think most usages of `JSON.load` actually intend no object deserialization, so
it'd be great if we don't need to change those and they are not warned.
OTOH I can see changing to `JSON.parse` would work nicely and safely on older JSON
versions, so that makes sense from that POV.
Maybe we could warn only if object deserialization is actually used?
---
IMO there are so many problems with the `json` gem, notably this is nonsense:
```
JSON.dump(Object.new)
=>
"\"#<Object:0x00007fed9189d6c8>\""
JSON.load JSON.dump(Object.new)
=>
"#<Object:0x00007fed9177cf28>" # returns a String but an Object was given?
WTF? It should have failed earlier, on dump.
```
And then we had many problems when it comes to releasing `json`.
And the performance of it is abysmal.
Maybe it's time to redo json from scracth, e.g. for version 2. And have a repository
at ruby/json.
----------------------------------------
Feature #19528: `JSON.load` defaults are surprising (`create_additions: true`)
https://bugs.ruby-lang.org/issues/19528#change-102805
* Author: byroot (Jean Boussier)
* Status: Open
* Priority: Normal
----------------------------------------
I'm not sure if it was actually intended, but there's some tacit naming convention
for serializers in Ruby to use `load` and `dump` as methods, likely inspired from
`Marshal` and `YAML`.
Because of this it's extremely common to see code that uses `JSON.load` expecting a
simple, no surprise, and safe JSON parsing.
However that's `JSON.parse`.
`JSON.load` has this very surprising behavior (albeit perfectly documented), of
de-serializing more complex types:
```ruby
> JSON.load('{ "json_class":
"String", "raw": [72, 101, 108, 108, 111] }')
=>
"Hello"
```
It's particularly weird because aside from the `String` extension that is eagerly
defined, for other types you have to `require "json/add/core"`.
Seasoned Ruby developers know about this of course, and [it is banned by various
linters](https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/JSONLoad), but it
keeps popping regularly in [gems security
releases](https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deseria…
and such.
### Proposal
Assuming entirely removing this feature is not an option, I think `json 2.x` should warn
when this feature is actually being used, and `json 3.x` should disable it by default and
require users to explicitly use `JSON.load(str, create_additions: true)` to keep the old
behavior.
--
https://bugs.ruby-lang.org/