json 2.15.2 → 2.15.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b883349b3a8a8c1ccb003e74779a577e3a16e8c3d8541693fb477a78aeac3a68
-  data.tar.gz: efb11cf9e69ece0ebb11d33aec23401b0c1ed1d7a39c351f82998ba82cbd47b8
+  metadata.gz: e0a73f62257d521165faeb372eafe66beb01fe47b4790256840f4316aa762510
+  data.tar.gz: 135d0b30fd72cd54b91b84050fe86a67b1aaf909f2024f5a545288cfbe3a2088
 SHA512:
-  metadata.gz: f78e23c6bd8b8dcddaaf051d6ae60253fd6c96e108395b475d825d9daf3fba4f754f280ae095f456ee67917dd991c8477caa86038f378f23d49e17744467cb7a
-  data.tar.gz: 64946a58a223efb1e333ff15eba3776d44505cfb78ba0102350177b6351f4643107db5f37ddb65c41569b4d58b5147176c8043b182abd152c74c63351be958fd
+  metadata.gz: d51c8d7de86d2581845d73638053da3f7c5aea014da4a960630fd78bba234647e37b301dec74f93069cc584d7f2495a394dc4a5d5514f543dee195413a863ebf
+  data.tar.gz: 3a871434b7427979f6c860e7ec33772ff61ddd0d272ac40de51fc887a14f50e65653d70b8276b2b535870a20801d7e6c2068b6f5bfb68293fc0e0de3a82aa729

data/CHANGES.md

@@ -2,6 +2,10 @@
 
 ### Unreleased
 
+### 2026-03-18 (2.15.2.1)
+
+* Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false).
+
 ### 2025-10-25 (2.15.2)
 
 * Fix `JSON::Coder` to have one dedicated depth counter per invocation.

data/ext/json/ext/parser/parser.c

@@ -428,14 +428,9 @@ static void emit_parse_warning(const char *message, JSON_ParserState *state)
 
 #define PARSE_ERROR_FRAGMENT_LEN 32
 
-#ifdef RBIMPL_ATTR_NORETURN
-RBIMPL_ATTR_NORETURN()
-#endif
-static void raise_parse_error(const char *format, JSON_ParserState *state)
+static VALUE build_parse_error_message(const char *format, JSON_ParserState *state, long line, long column)
 {
     unsigned char buffer[PARSE_ERROR_FRAGMENT_LEN + 3];
-    long line, column;
-    cursor_position(state, &line, &column);
 
     const char *ptr = "EOF";
     if (state->cursor && state->cursor < state->end) {
@@ -470,11 +465,23 @@ static void raise_parse_error(const char *format, JSON_ParserState *state)
     VALUE msg = rb_sprintf(format, ptr);
     VALUE message = rb_enc_sprintf(enc_utf8, "%s at line %ld column %ld", RSTRING_PTR(msg), line, column);
     RB_GC_GUARD(msg);
+    return message;
+}
 
+static VALUE parse_error_new(VALUE message, long line, long column)
+{
     VALUE exc = rb_exc_new_str(rb_path2class("JSON::ParserError"), message);
     rb_ivar_set(exc, rb_intern("@line"), LONG2NUM(line));
     rb_ivar_set(exc, rb_intern("@column"), LONG2NUM(column));
-    rb_exc_raise(exc);
+    return exc;
+}
+
+NORETURN(static) void raise_parse_error(const char *format, JSON_ParserState *state)
+{
+    long line, column;
+    cursor_position(state, &line, &column);
+    VALUE message = build_parse_error_message(format, state, line, column);
+    rb_exc_raise(parse_error_new(message, line, column));
 }
 
 #ifdef RBIMPL_ATTR_NORETURN
@@ -875,6 +882,11 @@ static void raise_duplicate_key_error(JSON_ParserState *state, VALUE duplicate_k
         rb_inspect(duplicate_key)
     );
 
+    long line, column;
+    cursor_position(state, &line, &column);
+    rb_str_concat(message, build_parse_error_message("", state, line, column)) ;
+    rb_exc_raise(parse_error_new(message, line, column));
+
     raise_parse_error(RSTRING_PTR(message), state);
     RB_GC_GUARD(message);
 }

data/lib/json/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JSON
-  VERSION = '2.15.2'
+  VERSION = '2.15.2.1'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json
 version: !ruby/object:Gem::Version
-  version: 2.15.2
+  version: 2.15.2.1
 platform: ruby
 authors:
 - Florian Frank
@@ -82,7 +82,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
 specification_version: 4
 summary: JSON Implementation for Ruby
 test_files: []