Issue #19528 has been updated by mame (Yusuke Endoh). We discussed this at the dev meeting. First of all, json upstream is https://github.com/flori/json. No one at the dev meeting has its ownership. So the following is just an opinion. None of the attendees of the dev meeting were against making this safe by default. @naruse suggested the following migration path. * Calling `JSON.load` without `create_additions` keyword should be warned as "`Use JSON.parse instead of JSON.load`" * If a user does not need object deserialization feature (we guess this is a major case), `JSON.parse` is good enough. * Otherwise, they should opt-in the feature by adding `create_additions: true`. * After some period, we can change the default to `create_additions: false`. @matsuda said the name `create_additions` is incomprehensible and he would like another good name. @akr suggested `JSON.unsafe_load`. ---------------------------------------- Feature #19528: `JSON.load` defaults are surprising (`create_additions: true`) https://bugs.ruby-lang.org/issues/19528#change-102783 * Author: byroot (Jean Boussier) * Status: Open * Priority: Normal ---------------------------------------- I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use `load` and `dump` as methods, likely inspired from `Marshal` and `YAML`. Because of this it's extremely common to see code that uses `JSON.load` expecting a simple, no surprise, and safe JSON parsing. However that's `JSON.parse`. `JSON.load` has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types: ```ruby => "Hello" ``` It's particularly weird because aside from the `String` extension that is eagerly defined, for other types you have to `require "json/add/core"`. Seasoned Ruby developers know about this of course, and [it is banned by various linters](https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/JSONLoad), but it keeps popping regularly in [gems security releases](https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deseria… and such. ### Proposal Assuming entirely removing this feature is not an option, I think `json 2.x` should warn when this feature is actually being used, and `json 3.x` should disable it by default and require users to explicitly use `JSON.load(str, create_additions: true)` to keep the old behavior. -- https://bugs.ruby-lang.org/

Issue #19528 has been updated by Eregon (Benoit Daloze). @duerst Yes, that's for psych where YAML.load became safe. @mame One issue with the above is it would make usages of `JSON.load` which don't intend to deserialize objects have to change to `JSON.parse`, which feels a bit suboptimal. I would think most usages of `JSON.load` actually intend no object deserialization, so it'd be great if we don't need to change those and they are not warned. OTOH I can see changing to `JSON.parse` would work nicely and safely on older JSON versions, so that makes sense from that POV. Maybe we could warn only if object deserialization is actually used? --- IMO there are so many problems with the `json` gem, notably this is nonsense: ``` => "\"#<Object:0x00007fed9189d6c8>\"" => "#<Object:0x00007fed9177cf28>" # returns a String but an Object was given? WTF? It should have failed earlier, on dump. ``` And then we had many problems when it comes to releasing `json`. And the performance of it is abysmal. Maybe it's time to redo json from scracth, e.g. for version 2. And have a repository at ruby/json. ---------------------------------------- Feature #19528: `JSON.load` defaults are surprising (`create_additions: true`) https://bugs.ruby-lang.org/issues/19528#change-102805 * Author: byroot (Jean Boussier) * Status: Open * Priority: Normal ---------------------------------------- I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use `load` and `dump` as methods, likely inspired from `Marshal` and `YAML`. Because of this it's extremely common to see code that uses `JSON.load` expecting a simple, no surprise, and safe JSON parsing. However that's `JSON.parse`. `JSON.load` has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types: ```ruby => "Hello" ``` It's particularly weird because aside from the `String` extension that is eagerly defined, for other types you have to `require "json/add/core"`. Seasoned Ruby developers know about this of course, and [it is banned by various linters](https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/JSONLoad), but it keeps popping regularly in [gems security releases](https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deseria… and such. ### Proposal Assuming entirely removing this feature is not an option, I think `json 2.x` should warn when this feature is actually being used, and `json 3.x` should disable it by default and require users to explicitly use `JSON.load(str, create_additions: true)` to keep the old behavior. -- https://bugs.ruby-lang.org/