json 2.13.1 → 2.19.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 51746c89475207b2f61cd248e90092dfbc5ede1c57226e3809f972ba83155b03
-  data.tar.gz: df39f6262a9eacd358a263b5ab00e0c30474115c9ef367132498f385eeb8fc03
+  metadata.gz: 747237eb2b9348d361e6e93684f81381b4f0dcf0cd36971bc809ac042ce295bc
+  data.tar.gz: 1c6243010258fd2077acf63c5b372babce9a32e789630279bc8b129fc2deef5d
 SHA512:
-  metadata.gz: f192e8bd1e2008570805de002e2ee1ff75f5f31929f5f3c719e7dc11a2cb754f97d70655308372275e4eb9c39d5ee16cb85f2fe7823d5a94f71879d87b11d705
-  data.tar.gz: 69846485c78975cd38c91e5068f365bc8ee9b41ec761d964a8c2166e3e6e86e72d34634f26764a6532ec1e8a3537d669069774440742c2dec7003de09090041c
+  metadata.gz: b43b4ca3d570a3c4051a319f9eb2d2807a6b2567f43cedf8bc21d8208289a3f3a275dc650353cd6ef4bd3e2022afcf73f17164fda51081134e11ac5172374459
+  data.tar.gz: 82a96b04fa36bb5b0ab72868d67e95cfcc8cc8d3f0a045a1caf8045b090e5cf46647b664accf7c657073020847cd8ce6ad28535d14536e214dcaab21b6aa4c17

data/CHANGES.md

@@ -2,6 +2,95 @@
 
 ### Unreleased
 
+### 2026-03-08 (2.19.2)
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`.
+
+### 2026-03-08 (2.19.1)
+
+* Fix a compiler dependent GC bug introduced in `2.18.0`.
+
+### 2026-03-06 (2.19.0)
+
+* Fix `allow_blank` parsing option to no longer allow invalid types (e.g. `load([], allow_blank: true)` now raise a type error).
+* Add `allow_invalid_escape` parsing option to ignore backslashes that aren't followed by one of the valid escape characters.
+
+### 2026-02-03 (2.18.1)
+
+* Fix a potential crash in very specific circumstance if GC triggers during a call to `to_json`
+  without first invoking a user defined `#to_json` method.
+
+### 2025-12-11 (2.18.0)
+
+* Add `:allow_control_characters` parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).
+
+### 2025-12-04 (2.17.1)
+
+* Fix a regression in parsing of unicode surogate pairs (`\uXX\uXX`) that could cause an invalid string to be returned.
+
+### 2025-12-03 (2.17.0)
+
+* Improve `JSON.load` and `JSON.unsafe_load` to allow passing options as second argument.
+* Fix the parser to no longer ignore invalid escapes in strings.
+  Only `\"`, `\\`, `\b`, `\f`, `\n`, `\r`, `\t` and `\u` are valid JSON escapes.
+* Fixed `JSON::Coder` to use the depth it was initialized with.
+* On TruffleRuby, fix the generator to not call `to_json` on the return value of `as_json` for `Float::NAN`.
+* Fixed handling of `state.depth`: when `to_json` changes `state.depth` but does not restore it, it is reset
+  automatically to its initial value.
+  In particular, when a `NestingError` is raised, `depth` is no longer equal to `max_nesting` after the call to
+  generate, and is reset to its initial value. Similarly when `to_json` raises an exception.
+
+### 2025-11-07 (2.16.0)
+
+* Deprecate `JSON::State#[]` and `JSON::State#[]=`. Consider using `JSON::Coder` instead.
+* `JSON::Coder` now also yields to the block when encountering strings with invalid encoding.
+* Fix GeneratorError messages to be UTF-8 encoded.
+* Fix memory leak when `Exception` is raised, or `throw` is used during JSON generation.
+* Optimized floating point number parsing by integrating the ryu algorithm (thanks to Josef Šimánek).
+* Optimized numbers parsing using SWAR (thanks to Scott Myron).
+* Optimized parsing of pretty printed documents using SWAR (thanks to Scott Myron).
+
+### 2025-10-25 (2.15.2)
+
+* Fix `JSON::Coder` to have one dedicated depth counter per invocation.
+  After encountering a circular reference in `JSON::Coder#dump`, any further `#dump` call would raise `JSON::NestingError`.
+
+### 2025-10-07 (2.15.1)
+
+* Fix incorrect escaping in the JRuby extension when encoding shared strings.
+
+### 2025-09-22 (2.15.0)
+
+* `JSON::Coder` callback now receive a second argument to convey whether the object is a hash key.
+* Tuned the floating point number generator to not use scientific notation as aggressively.
+
+### 2025-09-18 (2.14.1)
+
+* Fix `IndexOutOfBoundsException` in the JRuby extension when encoding shared strings.
+
+### 2025-09-18 (2.14.0)
+
+* Add new `allow_duplicate_key` generator options. By default a warning is now emitted when a duplicated key is encountered.
+  In `json 3.0` an error will be raised.
+  ```ruby
+  >> Warning[:deprecated] = true
+  >> puts JSON.generate({ foo: 1, "foo" => 2 })
+  (irb):2: warning: detected duplicate key "foo" in {foo: 1, "foo" => 2}.
+  This will raise an error in json 3.0 unless enabled via `allow_duplicate_key: true`
+  {"foo":1,"foo":2}
+  >> JSON.generate({ foo: 1, "foo" => 2 }, allow_duplicate_key: false)
+  detected duplicate key "foo" in {foo: 1, "foo" => 2} (JSON::GeneratorError)
+  ```
+* Fix `JSON.generate` `strict: true` mode to also restrict hash keys.
+* Fix `JSON::Coder` to also invoke block for hash keys that aren't strings nor symbols.
+* Fix `JSON.unsafe_load` usage with proc
+* Fix the parser to more consistently reject invalid UTF-16 surogate pairs.
+* Stop defining `String.json_create`, `String#to_json_raw`, `String#to_json_raw_object` when `json/add` isn't loaded.
+
+### 2025-07-28 (2.13.2)
+
+* Improve duplicate key warning and errors to include the key name and point to the right caller.
+
 ### 2025-07-24 (2.13.1)
 
 * Fix support for older compilers without `__builtin_cpu_supports`.
@@ -40,7 +129,7 @@
 ### 2025-04-24 (2.11.1)
 
 * Add back `JSON.restore`, `JSON.unparse`, `JSON.fast_unparse` and `JSON.pretty_unparse`.
-  These were deprecated 16 years ago, but never emited warnings, only undocumented, so are
+  These were deprecated 16 years ago, but never emitted warnings, only undocumented, so are
   still used by a few gems.
 
 ### 2025-04-24 (2.11.0)
@@ -67,7 +156,7 @@
 ### 2025-03-12 (2.10.2)
 
 * Fix a potential crash in the C extension parser.
-* Raise a ParserError on all incomplete unicode escape sequence. This was the behavior until `2.10.0` unadvertently changed it.
+* Raise a ParserError on all incomplete unicode escape sequence. This was the behavior until `2.10.0` inadvertently changed it.
 * Ensure document snippets that are included in parser errors don't include truncated multibyte characters.
 * Ensure parser error snippets are valid UTF-8.
 * Fix `JSON::GeneratorError#detailed_message` on Ruby < 3.2
@@ -98,7 +187,7 @@
 
 ### 2024-11-14 (2.8.2)
 
-* `JSON.load_file` explictly read the file as UTF-8.
+* `JSON.load_file` explicitly read the file as UTF-8.
 
 ### 2024-11-06 (2.8.1)
 
@@ -106,7 +195,7 @@
 
 ### 2024-11-06 (2.8.0)
 
-* Emit a deprecation warning when `JSON.load` create custom types without the `create_additions` option being explictly enabled.
+* Emit a deprecation warning when `JSON.load` create custom types without the `create_additions` option being explicitly enabled.
   * Prefer to use `JSON.unsafe_load(string)` or `JSON.load(string, create_additions: true)`.
 * Emit a deprecation warning when serializing valid UTF-8 strings encoded in `ASCII_8BIT` aka `BINARY`.
 * Bump required Ruby version to 2.7.
@@ -114,7 +203,7 @@
   pre-existing support for comments, make it suitable to parse `jsonc` documents.
 * Many performance improvements to `JSON.parse` and `JSON.load`, up to `1.7x` faster on real world documents.
 * Some minor performance improvements to `JSON.dump` and `JSON.generate`.
-* `JSON.pretty_generate` no longer include newline inside empty object and arrays. 
+* `JSON.pretty_generate` no longer includes newlines inside empty object and arrays.
 
 ### 2024-11-04 (2.7.6)
 
@@ -131,13 +220,13 @@
 * Workaround a bug in 3.4.8 and older https://github.com/rubygems/rubygems/pull/6490.
   This bug would cause some gems with native extension to fail during compilation.
 * Workaround different versions of `json` and `json_pure` being loaded (not officially supported).
-* Make `json_pure` Ractor compatible. 
+* Make `json_pure` Ractor compatible.
 
 ### 2024-10-24 (2.7.3)
 
 * Numerous performance optimizations in `JSON.generate` and `JSON.dump` (up to 2 times faster).
-* Limit the size of ParserError exception messages, only include up to 32 bytes of the unparseable source.
-* Fix json-pure's `Object#to_json` to accept non state arguments 
+* Limit the size of ParserError exception messages, only include up to 32 bytes of the unparsable source.
+* Fix json-pure's `Object#to_json` to accept non-state arguments.
 * Fix multiline comment support in `json-pure`.
 * Fix `JSON.parse` to no longer mutate the argument encoding when passed an ASCII-8BIT string.
 * Fix `String#to_json` to raise on invalid encoding in `json-pure`.
@@ -282,6 +371,7 @@
 ## 2015-09-11 (2.0.0)
   * Now complies to newest JSON RFC 7159.
   * Implements compatibility to ruby 2.4 integer unification.
+  * Removed support for `quirks_mode` option.
   * Drops support for old rubies whose life has ended, that is rubies < 2.0.
     Also see https://www.ruby-lang.org/en/news/2014/07/01/eol-for-1-8-7-and-1-9-2/
   * There were still some mentions of dual GPL licensing in the source, but JSON

data/LEGAL

@@ -6,3 +6,15 @@
 All the files in this distribution are covered under either the Ruby's
 license (see the file COPYING) or public-domain except some files
 mentioned below.
+
+ext/json/ext/vendor/fpconv.h::
+  This file is adapted from https://github.com/night-shift/fpconv
+  It is licensed under Boost Software License 1.0.
+
+ext/json/ext/vendor/jeaiii-ltoa.h::
+  This file is adapted from https://github.com/jeaiii/itoa
+  It is licensed under the MIT License
+
+ext/json/ext/vendor/ryu.h::
+  This file is adapted from the Ryu algorithm by Ulf Adams https://github.com/ulfjack/ryu.
+  It is dual-licensed under Apache License 2.0 OR Boost Software License 1.0.

data/README.md

@@ -97,7 +97,7 @@ Instead it is recommended to use the newer `JSON::Coder` API:
 
 ```ruby
 module MyApp
-  API_JSON_CODER = JSON::Coder.new do |object|
+  API_JSON_CODER = JSON::Coder.new do |object, is_object_key|
     case object
     when Time
       object.iso8601(3)
@@ -113,6 +113,24 @@ puts MyApp::API_JSON_CODER.dump(Time.now.utc) # => "2025-01-21T08:41:44.286Z"
 The provided block is called for all objects that don't have a native JSON equivalent, and
 must return a Ruby object that has a native JSON equivalent.
 
+It is also called for objects that do have a JSON equivalent, but are used as Hash keys, for instance `{ 1 => 2}`,
+as well as for strings that aren't valid UTF-8:
+
+```ruby
+coder = JSON::Combining.new do |object, is_object_key|
+  case object
+  when String
+    if !string.valid_encoding? || string.encoding != Encoding::UTF_8
+      Base64.encode64(string)
+    else
+      string
+    end
+  else
+    object
+  end
+end
+```
+
 ## Combining JSON fragments
 
 To combine JSON fragments into a bigger JSON document, you can use `JSON::Fragment`:

data/ext/json/ext/fbuffer/fbuffer.h

@@ -1,47 +1,9 @@
 #ifndef _FBUFFER_H_
 #define _FBUFFER_H_
 
-#include "ruby.h"
-#include "ruby/encoding.h"
+#include "../json.h"
 #include "../vendor/jeaiii-ltoa.h"
 
-/* shims */
-/* This is the fallback definition from Ruby 3.4 */
-
-#ifndef RBIMPL_STDBOOL_H
-#if defined(__cplusplus)
-# if defined(HAVE_STDBOOL_H) && (__cplusplus >= 201103L)
-#  include <cstdbool>
-# endif
-#elif defined(HAVE_STDBOOL_H)
-# include <stdbool.h>
-#elif !defined(HAVE__BOOL)
-typedef unsigned char _Bool;
-# define bool  _Bool
-# define true  ((_Bool)+1)
-# define false ((_Bool)+0)
-# define __bool_true_false_are_defined
-#endif
-#endif
-
-#ifndef RB_UNLIKELY
-#define RB_UNLIKELY(expr) expr
-#endif
-
-#ifndef RB_LIKELY
-#define RB_LIKELY(expr) expr
-#endif
-
-#ifndef MAYBE_UNUSED
-# define MAYBE_UNUSED(x) x
-#endif
-
-#ifdef RUBY_DEBUG
-#ifndef JSON_DEBUG
-#define JSON_DEBUG RUBY_DEBUG
-#endif
-#endif
-
 enum fbuffer_type {
     FBUFFER_HEAP_ALLOCATED = 0,
     FBUFFER_STACK_ALLOCATED = 1,
@@ -49,11 +11,11 @@ enum fbuffer_type {
 
 typedef struct FBufferStruct {
     enum fbuffer_type type;
-    unsigned long initial_length;
-    unsigned long len;
-    unsigned long capa;
-#ifdef JSON_DEBUG
-    unsigned long requested;
+    size_t initial_length;
+    size_t len;
+    size_t capa;
+#if JSON_DEBUG
+    size_t requested;
 #endif
     char *ptr;
     VALUE io;
@@ -70,12 +32,12 @@ typedef struct FBufferStruct {
 
 static void fbuffer_free(FBuffer *fb);
 static void fbuffer_clear(FBuffer *fb);
-static void fbuffer_append(FBuffer *fb, const char *newstr, unsigned long len);
+static void fbuffer_append(FBuffer *fb, const char *newstr, size_t len);
 static void fbuffer_append_long(FBuffer *fb, long number);
 static inline void fbuffer_append_char(FBuffer *fb, char newchr);
 static VALUE fbuffer_finalize(FBuffer *fb);
 
-static void fbuffer_stack_init(FBuffer *fb, unsigned long initial_length, char *stack_buffer, long stack_buffer_size)
+static void fbuffer_stack_init(FBuffer *fb, size_t initial_length, char *stack_buffer, size_t stack_buffer_size)
 {
     fb->initial_length = (initial_length > 0) ? initial_length : FBUFFER_INITIAL_LENGTH_DEFAULT;
     if (stack_buffer) {
@@ -83,14 +45,14 @@ static void fbuffer_stack_init(FBuffer *fb, unsigned long initial_length, char *
         fb->ptr = stack_buffer;
         fb->capa = stack_buffer_size;
     }
-#ifdef JSON_DEBUG
+#if JSON_DEBUG
     fb->requested = 0;
 #endif
 }
 
-static inline void fbuffer_consumed(FBuffer *fb, unsigned long consumed)
+static inline void fbuffer_consumed(FBuffer *fb, size_t consumed)
 {
-#ifdef JSON_DEBUG
+#if JSON_DEBUG
     if (consumed > fb->requested) {
         rb_bug("fbuffer: Out of bound write");
     }
@@ -117,7 +79,7 @@ static void fbuffer_flush(FBuffer *fb)
     fbuffer_clear(fb);
 }
 
-static void fbuffer_realloc(FBuffer *fb, unsigned long required)
+static void fbuffer_realloc(FBuffer *fb, size_t required)
 {
     if (required > fb->capa) {
         if (fb->type == FBUFFER_STACK_ALLOCATED) {
@@ -132,7 +94,7 @@ static void fbuffer_realloc(FBuffer *fb, unsigned long required)
     }
 }
 
-static void fbuffer_do_inc_capa(FBuffer *fb, unsigned long requested)
+static void fbuffer_do_inc_capa(FBuffer *fb, size_t requested)
 {
     if (RB_UNLIKELY(fb->io)) {
         if (fb->capa < FBUFFER_IO_BUFFER_SIZE) {
@@ -146,7 +108,7 @@ static void fbuffer_do_inc_capa(FBuffer *fb, unsigned long requested)
         }
     }
 
-    unsigned long required;
+    size_t required;
 
     if (RB_UNLIKELY(!fb->ptr)) {
         fb->ptr = ALLOC_N(char, fb->initial_length);
@@ -158,9 +120,9 @@ static void fbuffer_do_inc_capa(FBuffer *fb, unsigned long requested)
     fbuffer_realloc(fb, required);
 }
 
-static inline void fbuffer_inc_capa(FBuffer *fb, unsigned long requested)
+static inline void fbuffer_inc_capa(FBuffer *fb, size_t requested)
 {
-#ifdef JSON_DEBUG
+#if JSON_DEBUG
     fb->requested = requested;
 #endif
 
@@ -169,19 +131,24 @@ static inline void fbuffer_inc_capa(FBuffer *fb, unsigned long requested)
     }
 }
 
-static void fbuffer_append(FBuffer *fb, const char *newstr, unsigned long len)
+static inline void fbuffer_append_reserved(FBuffer *fb, const char *newstr, size_t len)
+{
+    MEMCPY(fb->ptr + fb->len, newstr, char, len);
+    fbuffer_consumed(fb, len);
+}
+
+static inline void fbuffer_append(FBuffer *fb, const char *newstr, size_t len)
 {
     if (len > 0) {
         fbuffer_inc_capa(fb, len);
-        MEMCPY(fb->ptr + fb->len, newstr, char, len);
-        fbuffer_consumed(fb, len);
+        fbuffer_append_reserved(fb, newstr, len);
     }
 }
 
 /* Appends a character into a buffer. The buffer needs to have sufficient capacity, via fbuffer_inc_capa(...). */
 static inline void fbuffer_append_reserved_char(FBuffer *fb, char chr)
 {
-#ifdef JSON_DEBUG
+#if JSON_DEBUG
     if (fb->requested < 1) {
         rb_bug("fbuffer: unreserved write");
     }
@@ -194,12 +161,29 @@ static inline void fbuffer_append_reserved_char(FBuffer *fb, char chr)
 
 static void fbuffer_append_str(FBuffer *fb, VALUE str)
 {
-    const char *newstr = StringValuePtr(str);
-    unsigned long len = RSTRING_LEN(str);
+    const char *ptr;
+    size_t len;
+    RSTRING_GETMEM(str, ptr, len);
 
+    fbuffer_append(fb, ptr, len);
     RB_GC_GUARD(str);
+}
 
-    fbuffer_append(fb, newstr, len);
+static void fbuffer_append_str_repeat(FBuffer *fb, VALUE str, size_t repeat)
+{
+    const char *ptr;
+    size_t len;
+    RSTRING_GETMEM(str, ptr, len);
+
+    fbuffer_inc_capa(fb, repeat * len);
+    while (repeat) {
+#if JSON_DEBUG
+        fb->requested = len;
+#endif
+        fbuffer_append_reserved(fb, ptr, len);
+        repeat--;
+    }
+    RB_GC_GUARD(str);
 }
 
 static inline void fbuffer_append_char(FBuffer *fb, char newchr)
@@ -257,14 +241,11 @@ static VALUE fbuffer_finalize(FBuffer *fb)
 {
     if (fb->io) {
         fbuffer_flush(fb);
-        fbuffer_free(fb);
         rb_io_flush(fb->io);
         return fb->io;
     } else {
-        VALUE result = rb_utf8_str_new(FBUFFER_PTR(fb), FBUFFER_LEN(fb));
-        fbuffer_free(fb);
-        return result;
+        return rb_utf8_str_new(FBUFFER_PTR(fb), FBUFFER_LEN(fb));
     }
 }
 
-#endif
+#endif // _FBUFFER_H_

data/ext/json/ext/generator/extconf.rb

@@ -6,7 +6,7 @@ if RUBY_ENGINE == 'truffleruby'
 else
   append_cflags("-std=c99")
   $defs << "-DJSON_GENERATOR"
-  $defs << "-DJSON_DEBUG" if ENV["JSON_DEBUG"]
+  $defs << "-DJSON_DEBUG" if ENV.fetch("JSON_DEBUG", "0") != "0"
 
   if enable_config('generator-use-simd', default=!ENV["JSON_DISABLE_SIMD"])
     load __dir__ + "/../simd/conf.rb"