RubyGems - json - Versions diffs - 2.17.1.2 → 2.18.0 - Mend

json 2.17.1.2 → 2.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGES.md +2 -2
data/ext/json/ext/parser/parser.c +30 -31
data/lib/json/truffle_ruby/generator.rb +0 -5
data/lib/json/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6a9a3645975d3e5df1aee69354bb7cefe81940009e677758de0f52617e82e871
-  data.tar.gz: 4dfdd1d03081d3a714798c7f9ac89d58285b9d6f7aa82edd430d6118120faad2
+  metadata.gz: 51eab66896e862b679d424133f11e1367d5d8e71add943e67cf0673d0d562fcd
+  data.tar.gz: 7b69d4a42137897fe9a45bd60a21b759d133c112cb4ba16020099f27074ac2fd
 SHA512:
-  metadata.gz: 85cce8ba1edd888d298eebf4279c3381dbbe103b48f59a998db05026028b388317c39fc3c306d32f3e0ada010f0cdff42c978c1173b0af90c93e42d16e78246f
-  data.tar.gz: 8dd8ecf39713290c9fbaf0d1d574636e7c8392252edd7accd4fb2d0bf679f7eeb89efdd099e3d20a57df91ff96bf7bf0b30338d71a22f7cf666799713a3dd3e3
+  metadata.gz: ea3b026c8ccd6cb477858bf06f07f8b5adc5bcf7b52a175487c19dc2835ef63db2e4f87074a00ec2fe2c70e588c205f679116536da40f15e767f35351a52fc5c
+  data.tar.gz: f58144a5329ad95128e00bbc5670280f6a699e04cf05060bdfc7acaf112e62eb44c14c36328a9683d86e138c6eb2f3599f5ec35347867ac99ab9f0e16813c4df

data/CHANGES.md CHANGED Viewed

@@ -2,9 +2,9 @@
 ### Unreleased
-### 2026-03-18 (2.17.1.2)
+### 2025-12-11 (2.18.0)
-* Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false).
+* Add `:allow_control_characters` parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).
 ### 2025-12-04 (2.17.1)

data/ext/json/ext/parser/parser.c CHANGED Viewed

@@ -7,7 +7,7 @@ static VALUE CNaN, CInfinity, CMinusInfinity;
 static ID i_new, i_try_convert, i_uminus, i_encode;
-static VALUE sym_max_nesting, sym_allow_nan, sym_allow_trailing_comma, sym_symbolize_names, sym_freeze,
+static VALUE sym_max_nesting, sym_allow_nan, sym_allow_trailing_comma, sym_allow_control_characters, sym_symbolize_names, sym_freeze,
              sym_decimal_class, sym_on_load, sym_allow_duplicate_key;
 static int binary_encindex;
@@ -335,6 +335,7 @@ typedef struct JSON_ParserStruct {
     int max_nesting;
     bool allow_nan;
     bool allow_trailing_comma;
+    bool allow_control_characters;
     bool symbolize_names;
     bool freeze;
 } JSON_ParserConfig;
@@ -399,9 +400,14 @@ static void emit_parse_warning(const char *message, JSON_ParserState *state)
 #define PARSE_ERROR_FRAGMENT_LEN 32
-static VALUE build_parse_error_message(const char *format, JSON_ParserState *state, long line, long column)
+#ifdef RBIMPL_ATTR_NORETURN
+RBIMPL_ATTR_NORETURN()
+#endif
+static void raise_parse_error(const char *format, JSON_ParserState *state)
 {
     unsigned char buffer[PARSE_ERROR_FRAGMENT_LEN + 3];
+    long line, column;
+    cursor_position(state, &line, &column);
     const char *ptr = "EOF";
     if (state->cursor && state->cursor < state->end) {
@@ -436,23 +442,11 @@ static VALUE build_parse_error_message(const char *format, JSON_ParserState *sta
     VALUE msg = rb_sprintf(format, ptr);
     VALUE message = rb_enc_sprintf(enc_utf8, "%s at line %ld column %ld", RSTRING_PTR(msg), line, column);
     RB_GC_GUARD(msg);
-    return message;
-}
-static VALUE parse_error_new(VALUE message, long line, long column)
-{
     VALUE exc = rb_exc_new_str(rb_path2class("JSON::ParserError"), message);
     rb_ivar_set(exc, rb_intern("@line"), LONG2NUM(line));
     rb_ivar_set(exc, rb_intern("@column"), LONG2NUM(column));
-    return exc;
-}
-NORETURN(static) void raise_parse_error(const char *format, JSON_ParserState *state)
-{
-    long line, column;
-    cursor_position(state, &line, &column);
-    VALUE message = build_parse_error_message(format, state, line, column);
-    rb_exc_raise(parse_error_new(message, line, column));
+    rb_exc_raise(exc);
 }
 #ifdef RBIMPL_ATTR_NORETURN
@@ -759,9 +753,15 @@ NOINLINE(static) VALUE json_string_unescape(JSON_ParserState *state, JSON_Parser
                 break;
             default:
                 if ((unsigned char)*pe < 0x20) {
-                    raise_parse_error_at("invalid ASCII control character in string: %s", state, pe - 1);
+                    if (!config->allow_control_characters) {
+                        if (*pe == '\n') {
+                            raise_parse_error_at("Invalid unescaped newline character (\\n) in string: %s", state, pe - 1);
+                        }
+                        raise_parse_error_at("invalid ASCII control character in string: %s", state, pe - 1);
+                    }
+                } else {
+                    raise_parse_error_at("invalid escape character in string: %s", state, pe - 1);
                 }
-                raise_parse_error_at("invalid escape character in string: %s", state, pe - 1);
                 break;
         }
     }
@@ -896,11 +896,6 @@ static void raise_duplicate_key_error(JSON_ParserState *state, VALUE duplicate_k
         rb_inspect(duplicate_key)
     );
-    long line, column;
-    cursor_position(state, &line, &column);
-    rb_str_concat(message, build_parse_error_message("", state, line, column)) ;
-    rb_exc_raise(parse_error_new(message, line, column));
     raise_parse_error(RSTRING_PTR(message), state);
     RB_GC_GUARD(message);
 }
@@ -1018,7 +1013,9 @@ static VALUE json_parse_escaped_string(JSON_ParserState *state, JSON_ParserConfi
                 break;
             }
             default:
-                raise_parse_error("invalid ASCII control character in string: %s", state);
+                if (!config->allow_control_characters) {
+                    raise_parse_error("invalid ASCII control character in string: %s", state);
+                }
                 break;
         }
@@ -1439,14 +1436,15 @@ static int parser_config_init_i(VALUE key, VALUE val, VALUE data)
 {
     JSON_ParserConfig *config = (JSON_ParserConfig *)data;
-         if (key == sym_max_nesting)          { config->max_nesting = RTEST(val) ? FIX2INT(val) : 0; }
-    else if (key == sym_allow_nan)            { config->allow_nan = RTEST(val); }
-    else if (key == sym_allow_trailing_comma) { config->allow_trailing_comma = RTEST(val); }
-    else if (key == sym_symbolize_names)      { config->symbolize_names = RTEST(val); }
-    else if (key == sym_freeze)               { config->freeze = RTEST(val); }
-    else if (key == sym_on_load)              { config->on_load_proc = RTEST(val) ? val : Qfalse; }
-    else if (key == sym_allow_duplicate_key)  { config->on_duplicate_key = RTEST(val) ? JSON_IGNORE : JSON_RAISE; }
-    else if (key == sym_decimal_class)        {
+         if (key == sym_max_nesting)                { config->max_nesting = RTEST(val) ? FIX2INT(val) : 0; }
+    else if (key == sym_allow_nan)                  { config->allow_nan = RTEST(val); }
+    else if (key == sym_allow_trailing_comma)       { config->allow_trailing_comma = RTEST(val); }
+    else if (key == sym_allow_control_characters)   { config->allow_control_characters = RTEST(val); }
+    else if (key == sym_symbolize_names)            { config->symbolize_names = RTEST(val); }
+    else if (key == sym_freeze)                     { config->freeze = RTEST(val); }
+    else if (key == sym_on_load)                    { config->on_load_proc = RTEST(val) ? val : Qfalse; }
+    else if (key == sym_allow_duplicate_key)        { config->on_duplicate_key = RTEST(val) ? JSON_IGNORE : JSON_RAISE; }
+    else if (key == sym_decimal_class)              {
         if (RTEST(val)) {
             if (rb_respond_to(val, i_try_convert)) {
                 config->decimal_class = val;
@@ -1659,6 +1657,7 @@ void Init_parser(void)
     sym_max_nesting = ID2SYM(rb_intern("max_nesting"));
     sym_allow_nan = ID2SYM(rb_intern("allow_nan"));
     sym_allow_trailing_comma = ID2SYM(rb_intern("allow_trailing_comma"));
+    sym_allow_control_characters = ID2SYM(rb_intern("allow_control_characters"));
     sym_symbolize_names = ID2SYM(rb_intern("symbolize_names"));
     sym_freeze = ID2SYM(rb_intern("freeze"));
     sym_on_load = ID2SYM(rb_intern("on_load"));

data/lib/json/truffle_ruby/generator.rb CHANGED Viewed

@@ -500,11 +500,6 @@ module JSON
           private
-          def json_shift(state)
-            state.object_nl.empty? or return ''
-            state.indent * state.depth
-          end
           def json_transform(state)
             depth = state.depth += 1

data/lib/json/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module JSON
-  VERSION = '2.17.1.2'
+  VERSION = '2.18.0'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json
 version: !ruby/object:Gem::Version
-  version: 2.17.1.2
+  version: 2.18.0
 platform: ruby
 authors:
 - Florian Frank
@@ -84,7 +84,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 3.6.9
 specification_version: 4
 summary: JSON Implementation for Ruby
 test_files: []