json 2.19.7-java → 2.19.8-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +5 -0
  3. data/README.md +11 -0
  4. data/lib/json/ext/generator.jar +0 -0
  5. data/lib/json/ext/parser.jar +0 -0
  6. data/lib/json/truffle_ruby/generator.rb +3 -0
  7. data/lib/json/version.rb +1 -1
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 072f3617342c52e645a0c0c33a106bc091937c015943d561751e853d02abec6d
4
- data.tar.gz: aa3a609001131bef7a49998ae02192f7690879a38242d6bff2fd7585194586de
3
+ metadata.gz: 26ceb74d2e898b237e9935644ed8542b3715c320ba76e04992034c2dc70e98fd
4
+ data.tar.gz: fd1fc4fcca17f6d828fe9f5f5fc78e6450799888c3d101cedce1ff41e987c3ff
5
5
  SHA512:
6
- metadata.gz: 2b105146204033f8c3db4ca26d1e6777b3413f3b30c2399dc48335a5c7eb6c305717b7a5fb58613d48919f8136d31d4d21e1e75ce253b06e65514e8c6e398e9d
7
- data.tar.gz: 0d394a4ad2942ba37ecfbe5cea7fa64dbbb6acfc3034b592ba8c37558ce04cf3286eb4dae98b704854de22187d2e62cbb8a7072f6fe7e41b1f7f218486d2b2bb
6
+ metadata.gz: 37c29079bd29dfb72dae329e624509e5aa794ebdeb7eba0f9b750fa81ec0b3b065db4023f23b0e5b3b9dab3f9bf179758729dc4f3364e00f5696fe6fdf1ca1d5
7
+ data.tar.gz: 056a3aa4c948d71ec8710773fa8129a52b6d7d5aa77846faac25375eeed9d2674d66b1c410af68ffa0b988f109d08264397f258a935f587f02dafdf72c71a5c3
data/CHANGES.md CHANGED
@@ -2,6 +2,11 @@
2
2
 
3
3
  ### Unreleased
4
4
 
5
+ ### 2026-06-03 (2.19.8)
6
+
7
+ * Fix 1-byte buffer overread on EOS errors.
8
+ * Handle invalid types passed as `max_nesting` option.
9
+
5
10
  ### 2026-05-28 (2.19.7)
6
11
 
7
12
  * Fix some more edge cases with out of range floats.
data/README.md CHANGED
@@ -249,6 +249,17 @@ There are also the methods `Kernel#j` for generate, and `Kernel#jj` for
249
249
  `pretty_generate` output to the console, that work analogous to Core Ruby's `p` and
250
250
  the `pp` library's `pp` methods.
251
251
 
252
+ ## Security
253
+
254
+ When parsing or serializing untrusted input, parser and generator options should never be user controlled.
255
+
256
+ ```ruby
257
+ # Dangerous, DO NOT DO THIS.
258
+ JSON.generate(params[:data], params[:options])
259
+ ```
260
+
261
+ Security vulnerability reports relying on attacker controlled parsing or generator options will be handled as regular bug fixes.
262
+
252
263
  ## Development
253
264
 
254
265
  ### Prerequisites
data/lib/json/ext/generator.jar CHANGED
Binary file
data/lib/json/ext/parser.jar CHANGED
Binary file
data/lib/json/truffle_ruby/generator.rb CHANGED
@@ -307,6 +307,9 @@ module JSON
307
307
  if !opts.key?(:max_nesting) # defaults to 100
308
308
  @max_nesting = 100
309
309
  elsif opts[:max_nesting]
310
+ unless opts[:max_nesting].is_a?(Integer)
311
+ raise TypeError, ":max_nesting must be an Integer, got: #{opts[:max_nesting].class}"
312
+ end
310
313
  @max_nesting = opts[:max_nesting]
311
314
  else
312
315
  @max_nesting = 0
data/lib/json/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module JSON
4
- VERSION = '2.19.7'
4
+ VERSION = '2.19.8'
5
5
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: json
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.19.7
4
+ version: 2.19.8
5
5
  platform: java
6
6
  authors:
7
7
  - Daniel Luz
8
8
  bindir: bin
9
9
  cert_chain: []
10
- date: 2026-05-28 00:00:00.000000000 Z
10
+ date: 2026-06-03 00:00:00.000000000 Z
11
11
  dependencies: []
12
12
  description: A JSON implementation as a JRuby extension.
13
13
  email: dev+ruby@mernen.com