json 2.7.6-java → 2.8.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc7f91e45f97a190ae906fd62628096c4ca094ce9594fb847e4c85805f7b77a8
-  data.tar.gz: b7ef29eec1f9ef2aabecbe36d93efe0011356f030fc5ebc9daf6af0e2b2ab06d
+  metadata.gz: '028722a95a19f36273e395c75c39bce1d12eeaccc31b208c16e3c12adece4ea1'
+  data.tar.gz: d4c11f6be31a3aaf913ee7d3675dfba0a760aaeff18bf58894d4e6693955a909
 SHA512:
-  metadata.gz: 1e9788d9a961fc4778bbf0c23fd29fa3f99357652c51e6377479238c9e15ab7bbf628e9f2d4a2255417fdf1ef341c8882c9bc81babdb85458038573bd3f79173
-  data.tar.gz: 26e5c02ca4ea4882b0c58b41eb23a53a8ba101625ed0b8bc444f21af50248c1ef185667c47b9c2f50433e335c135792709af8cf601af4e82bc92eb30f18962a6
+  metadata.gz: fac7a86491aa6f5844d8de472f8b7f9f1cb977cce0ce02044d384d5cf65ab180a6545514270b1f8ace2113fc0f0fc1dfef41b2cac233392cc3cf7f6dd8f2ac13
+  data.tar.gz: d3af20766bf04d0ac65d3812de0cad1d88957c495a8d23064b48aafc72a89476bdbd4dd506228728d9263265704fc9952cadeb9c20dbffad10ffb02bd5123e6a

data/CHANGES.md

@@ -1,5 +1,16 @@
 # Changes
 
+### 2024-11-06 (2.8.0)
+
+* Emit a deprecation warning when `JSON.load` create custom types without the `create_additions` option being explictly enabled.
+  * Prefer to use `JSON.unsafe_load(string)` or `JSON.load(string, create_additions: true)`.
+* Emit a deprecation warning when serializing valid UTF-8 strings encoded in `ASCII_8BIT` aka `BINARY`.
+* Bump required Ruby version to 2.7.
+* Add support for optionally parsing trailing commas, via `allow_trailing_comma: true`, which in cunjunction with the
+  pre-existing support for comments, make it suitable to parse `jsonc` documents.
+* Many performance improvements to `JSON.parse` and `JSON.load`, up to `1.7x` faster on real world documents.
+* Some minor performance improvements to `JSON.dump` and `JSON.generate`.
+
 ### 2024-11-04 (2.7.6)
 
 * Fix a regression in JSON.generate when dealing with Hash keys that are string subclasses, call `to_json` on them.

data/README.md

@@ -5,16 +5,10 @@
 ## Description
 
 This is an implementation of the JSON specification according to RFC 7159
-http://www.ietf.org/rfc/rfc7159.txt . There is two variants available:
+http://www.ietf.org/rfc/rfc7159.txt .
 
-* A pure ruby variant, that relies on the `strscan` extensions, which is
-  part of the ruby standard library.
-* The quite a bit faster native extension variant, which is in parts
-  implemented in C or Java and comes with a parser generated by the [Ragel]
-  state machine compiler.
-
-Both variants of the JSON generator generate UTF-8 character sequences by
-default. If an :ascii\_only option with a true value is given, they escape all
+The JSON generator generate UTF-8 character sequences by default.
+If an :ascii\_only option with a true value is given, they escape all
 non-ASCII and control characters with \uXXXX escape sequences, and support
 UTF-16 surrogate pairs in order to be able to generate the whole range of
 unicode code points.
@@ -27,10 +21,6 @@ endpoint.
 
 ## Installation
 
-It's recommended to use the extension variant of JSON, because it's faster than
-the pure ruby variant. If you cannot build it on your system, you can settle
-for the latter.
-
 Install the gem and add to the application's Gemfile by executing:
 
     $ bundle add json
@@ -39,12 +29,6 @@ If bundler is not being used to manage dependencies, install the gem by executin
 
     $ gem install json
 
-
-There is also a pure ruby json only variant of the gem, that can be installed
-with:
-
-    $ gem install json_pure
-
 ## Usage
 
 To use JSON you can
@@ -53,20 +37,6 @@ To use JSON you can
 require 'json'
 ```
 
-to load the installed variant (either the extension `'json'` or the pure
-variant `'json_pure'`). If you have installed the extension variant, you can
-pick either the extension variant or the pure variant by typing
-
-```ruby
-require 'json/ext'
-```
-
-or
-
-```ruby
-require 'json/pure'
-```
-
 Now you can parse a JSON document into a ruby data structure by calling
 
 ```ruby
@@ -82,50 +52,11 @@ You can also use the `pretty_generate` method (which formats the output more
 verbosely and nicely) or `fast_generate` (which doesn't do any of the security
 checks generate performs, e. g. nesting deepness checks).
 
-There are also the JSON and JSON[] methods which use parse on a String or
-generate a JSON document from an array or hash:
-
-```ruby
-document = JSON 'test'  => 23 # => "{\"test\":23}"
-document = JSON['test' => 23] # => "{\"test\":23}"
-```
-
-and
-
-```ruby
-data = JSON '{"test":23}'  # => {"test"=>23}
-data = JSON['{"test":23}'] # => {"test"=>23}
-```
-
-You can choose to load a set of common additions to ruby core's objects if
-you
-
-```ruby
-require 'json/add/core'
-```
-
-After requiring this you can, e. g., serialise/deserialise Ruby ranges:
-
-```ruby
-JSON JSON(1..10) # => 1..10
-```
-
-To find out how to add JSON support to other or your own classes, read the
-section "More Examples" below.
-
-## Serializing exceptions
-
-The JSON module doesn't extend `Exception` by default. If you convert an `Exception`
-object to JSON, it will by default only include the exception message.
-
-To include the full details, you must either load the `json/add/core` mentioned
-above, or specifically load the exception addition:
-
-```ruby
-require 'json/add/exception'
-```
+## Handling arbitrary types
 
-## More Examples
+> [!CAUTION]
+> You should never use `JSON.unsafe_load` nor `JSON.parse(str, create_additions: true)` to parse untrusted user input,
+> as it can lead to remote code execution vulnerabilities.
 
 To create a JSON document from a ruby data structure, you can call
 `JSON.generate` like that:
@@ -191,7 +122,7 @@ JSON.parse json
 # => [1, 2, {"a"=>3.141}, false, true, nil, 4..10]
 json = JSON.generate [1, 2, {"a"=>3.141}, false, true, nil, 4..10]
 # => "[1,2,{\"a\":3.141},false,true,null,{\"json_class\":\"Range\",\"data\":[4,10,false]}]"
-JSON.parse json, :create_additions => true
+JSON.unsafe_load json
 # => [1, 2, {"a"=>3.141}, false, true, nil, 4..10]
 ```
 

data/json.gemspec

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 version = File.foreach(File.join(__dir__, "lib/json/version.rb")) do |line|
   /^\s*VERSION\s*=\s*'(.*)'/ =~ line and break $1
 end rescue nil
@@ -19,7 +21,7 @@ spec = Gem::Specification.new do |s|
     'wiki_uri'          => 'https://github.com/ruby/json/wiki'
   }
 
-  s.required_ruby_version = Gem::Requirement.new(">= 2.3")
+  s.required_ruby_version = Gem::Requirement.new(">= 2.7")
 
   if java_ext
     s.description = "A JSON implementation as a JRuby extension."

data/lib/json/add/bigdecimal.rb

@@ -35,7 +35,7 @@ class BigDecimal
   def as_json(*)
     {
       JSON.create_id => self.class.name,
-      'b'            => _dump,
+      'b'            => _dump.force_encoding(Encoding::UTF_8),
     }
   end
 

data/lib/json/common.rb

@@ -32,9 +32,7 @@ module JSON
       JSON.generate(object, opts)
     end
 
-    # Returns the JSON parser class that is used by JSON. This is either
-    # JSON::Ext::Parser or JSON::Pure::Parser:
-    #   JSON.parser # => JSON::Ext::Parser
+    # Returns the JSON parser class that is used by JSON.
     attr_reader :parser
 
     # Set the JSON parser class _parser_ to be used by JSON.
@@ -49,18 +47,9 @@ module JSON
     # level (absolute namespace path?). If there doesn't exist a constant at
     # the given path, an ArgumentError is raised.
     def deep_const_get(path) # :nodoc:
-      path.to_s.split(/::/).inject(Object) do |p, c|
-        case
-        when c.empty?                  then p
-        when p.const_defined?(c, true) then p.const_get(c)
-        else
-          begin
-            p.const_missing(c)
-          rescue NameError => e
-            raise ArgumentError, "can't get const #{path}: #{e}"
-          end
-        end
-      end
+      Object.const_get(path)
+    rescue NameError => e
+      raise ArgumentError, "can't get const #{path}: #{e}"
     end
 
     # Set the module _generator_ to be used by JSON.
@@ -69,7 +58,7 @@ module JSON
       @generator = generator
       generator_methods = generator::GeneratorMethods
       for const in generator_methods.constants
-        klass = deep_const_get(const)
+        klass = const_get(const)
         modul = generator_methods.const_get(const)
         klass.class_eval do
           instance_methods(false).each do |m|
@@ -106,14 +95,10 @@ module JSON
       )
     end
 
-    # Returns the JSON generator module that is used by JSON. This is
-    # either JSON::Ext::Generator or JSON::Pure::Generator:
-    #   JSON.generator # => JSON::Ext::Generator
+    # Returns the JSON generator module that is used by JSON.
     attr_reader :generator
 
-    # Sets or Returns the JSON generator state class that is used by JSON. This is
-    # either JSON::Ext::Generator::State or JSON::Pure::Generator::State:
-    #   JSON.state # => JSON::Ext::Generator::State
+    # Sets or Returns the JSON generator state class that is used by JSON.
     attr_accessor :state
   end
 
@@ -195,17 +180,17 @@ module JSON
   # {Parsing \JSON}[#module-JSON-label-Parsing+JSON].
   #
   # Parses nested JSON objects:
-  #   source = <<-EOT
-  #   {
-  #   "name": "Dave",
-  #     "age" :40,
-  #     "hats": [
-  #       "Cattleman's",
-  #       "Panama",
-  #       "Tophat"
-  #     ]
-  #   }
-  #   EOT
+  #   source = <<~JSON
+  #     {
+  #     "name": "Dave",
+  #       "age" :40,
+  #       "hats": [
+  #         "Cattleman's",
+  #         "Panama",
+  #         "Tophat"
+  #       ]
+  #     }
+  #   JSON
   #   ruby = JSON.parse(source)
   #   ruby # => {"name"=>"Dave", "age"=>40, "hats"=>["Cattleman's", "Panama", "Tophat"]}
   #
@@ -216,16 +201,7 @@ module JSON
   #   JSON.parse('')
   #
   def parse(source, opts = nil)
-    if opts.nil?
-      Parser.new(source).parse
-    else
-      # NB: The ** shouldn't be required, but we have to deal with
-      # different versions of the `json` and `json_pure` gems being
-      # loaded concurrently.
-      # Prior to 2.7.3, `JSON::Ext::Parser` would only take kwargs.
-      # Ref: https://github.com/ruby/json/issues/650
-      Parser.new(source, **opts).parse
-    end
+    Parser.parse(source, opts)
   end
 
   # :call-seq:
@@ -307,11 +283,10 @@ module JSON
   #
   def generate(obj, opts = nil)
     if State === opts
-      state = opts
+      opts.generate(obj)
     else
-      state = State.new(opts)
+      State.generate(obj, opts)
     end
-    state.generate(obj)
   end
 
   # :stopdoc:
@@ -404,6 +379,20 @@ module JSON
   module_function :pretty_unparse
   # :startdoc:
 
+  class << self
+    # Sets or returns default options for the JSON.unsafe_load method.
+    # Initially:
+    #   opts = JSON.load_default_options
+    #   opts # => {:max_nesting=>false, :allow_nan=>true, :allow_blank=>true, :create_additions=>true}
+    attr_accessor :unsafe_load_default_options
+  end
+  self.unsafe_load_default_options = {
+    :max_nesting      => false,
+    :allow_nan        => true,
+    :allow_blank      => true,
+    :create_additions => true,
+  }
+
   class << self
     # Sets or returns default options for the JSON.load method.
     # Initially:
@@ -412,11 +401,162 @@ module JSON
     attr_accessor :load_default_options
   end
   self.load_default_options = {
-    :max_nesting      => false,
     :allow_nan        => true,
     :allow_blank      => true,
-    :create_additions => true,
+    :create_additions => nil,
   }
+  # :call-seq:
+  #   JSON.unsafe_load(source, proc = nil, options = {}) -> object
+  #
+  # Returns the Ruby objects created by parsing the given +source+.
+  #
+  # - Argument +source+ must be, or be convertible to, a \String:
+  #   - If +source+ responds to instance method +to_str+,
+  #     <tt>source.to_str</tt> becomes the source.
+  #   - If +source+ responds to instance method +to_io+,
+  #     <tt>source.to_io.read</tt> becomes the source.
+  #   - If +source+ responds to instance method +read+,
+  #     <tt>source.read</tt> becomes the source.
+  #   - If both of the following are true, source becomes the \String <tt>'null'</tt>:
+  #     - Option +allow_blank+ specifies a truthy value.
+  #     - The source, as defined above, is +nil+ or the empty \String <tt>''</tt>.
+  #   - Otherwise, +source+ remains the source.
+  # - Argument +proc+, if given, must be a \Proc that accepts one argument.
+  #   It will be called recursively with each result (depth-first order).
+  #   See details below.
+  #   BEWARE: This method is meant to serialise data from trusted user input,
+  #   like from your own database server or clients under your control, it could
+  #   be dangerous to allow untrusted users to pass JSON sources into it.
+  # - Argument +opts+, if given, contains a \Hash of options for the parsing.
+  #   See {Parsing Options}[#module-JSON-label-Parsing+Options].
+  #   The default options can be changed via method JSON.unsafe_load_default_options=.
+  #
+  # ---
+  #
+  # When no +proc+ is given, modifies +source+ as above and returns the result of
+  # <tt>parse(source, opts)</tt>;  see #parse.
+  #
+  # Source for following examples:
+  #   source = <<~JSON
+  #     {
+  #       "name": "Dave",
+  #       "age" :40,
+  #       "hats": [
+  #         "Cattleman's",
+  #         "Panama",
+  #         "Tophat"
+  #       ]
+  #     }
+  #   JSON
+  #
+  # Load a \String:
+  #   ruby = JSON.unsafe_load(source)
+  #   ruby # => {"name"=>"Dave", "age"=>40, "hats"=>["Cattleman's", "Panama", "Tophat"]}
+  #
+  # Load an \IO object:
+  #   require 'stringio'
+  #   object = JSON.unsafe_load(StringIO.new(source))
+  #   object # => {"name"=>"Dave", "age"=>40, "hats"=>["Cattleman's", "Panama", "Tophat"]}
+  #
+  # Load a \File object:
+  #   path = 't.json'
+  #   File.write(path, source)
+  #   File.open(path) do |file|
+  #     JSON.unsafe_load(file)
+  #   end # => {"name"=>"Dave", "age"=>40, "hats"=>["Cattleman's", "Panama", "Tophat"]}
+  #
+  # ---
+  #
+  # When +proc+ is given:
+  # - Modifies +source+ as above.
+  # - Gets the +result+ from calling <tt>parse(source, opts)</tt>.
+  # - Recursively calls <tt>proc(result)</tt>.
+  # - Returns the final result.
+  #
+  # Example:
+  #   require 'json'
+  #
+  #   # Some classes for the example.
+  #   class Base
+  #     def initialize(attributes)
+  #       @attributes = attributes
+  #     end
+  #   end
+  #   class User    < Base; end
+  #   class Account < Base; end
+  #   class Admin   < Base; end
+  #   # The JSON source.
+  #   json = <<-EOF
+  #   {
+  #     "users": [
+  #         {"type": "User", "username": "jane", "email": "jane@example.com"},
+  #         {"type": "User", "username": "john", "email": "john@example.com"}
+  #     ],
+  #     "accounts": [
+  #         {"account": {"type": "Account", "paid": true, "account_id": "1234"}},
+  #         {"account": {"type": "Account", "paid": false, "account_id": "1235"}}
+  #     ],
+  #     "admins": {"type": "Admin", "password": "0wn3d"}
+  #   }
+  #   EOF
+  #   # Deserializer method.
+  #   def deserialize_obj(obj, safe_types = %w(User Account Admin))
+  #     type = obj.is_a?(Hash) && obj["type"]
+  #     safe_types.include?(type) ? Object.const_get(type).new(obj) : obj
+  #   end
+  #   # Call to JSON.unsafe_load
+  #   ruby = JSON.unsafe_load(json, proc {|obj|
+  #     case obj
+  #     when Hash
+  #       obj.each {|k, v| obj[k] = deserialize_obj v }
+  #     when Array
+  #       obj.map! {|v| deserialize_obj v }
+  #     end
+  #   })
+  #   pp ruby
+  # Output:
+  #   {"users"=>
+  #      [#<User:0x00000000064c4c98
+  #        @attributes=
+  #          {"type"=>"User", "username"=>"jane", "email"=>"jane@example.com"}>,
+  #        #<User:0x00000000064c4bd0
+  #        @attributes=
+  #          {"type"=>"User", "username"=>"john", "email"=>"john@example.com"}>],
+  #    "accounts"=>
+  #      [{"account"=>
+  #          #<Account:0x00000000064c4928
+  #          @attributes={"type"=>"Account", "paid"=>true, "account_id"=>"1234"}>},
+  #       {"account"=>
+  #          #<Account:0x00000000064c4680
+  #          @attributes={"type"=>"Account", "paid"=>false, "account_id"=>"1235"}>}],
+  #    "admins"=>
+  #      #<Admin:0x00000000064c41f8
+  #      @attributes={"type"=>"Admin", "password"=>"0wn3d"}>}
+  #
+  def unsafe_load(source, proc = nil, options = nil)
+    opts = if options.nil?
+      unsafe_load_default_options
+    else
+      unsafe_load_default_options.merge(options)
+    end
+
+    unless source.is_a?(String)
+      if source.respond_to? :to_str
+        source = source.to_str
+      elsif source.respond_to? :to_io
+        source = source.to_io.read
+      elsif source.respond_to?(:read)
+        source = source.read
+      end
+    end
+
+    if opts[:allow_blank] && (source.nil? || source.empty?)
+      source = 'null'
+    end
+    result = parse(source, opts)
+    recurse_proc(result, &proc) if proc
+    result
+  end
 
   # :call-seq:
   #   JSON.load(source, proc = nil, options = {}) -> object
@@ -440,6 +580,7 @@ module JSON
   #   BEWARE: This method is meant to serialise data from trusted user input,
   #   like from your own database server or clients under your control, it could
   #   be dangerous to allow untrusted users to pass JSON sources into it.
+  #   If you must use it, use JSON.unsafe_load instead to make it clear.
   # - Argument +opts+, if given, contains a \Hash of options for the parsing.
   #   See {Parsing Options}[#module-JSON-label-Parsing+Options].
   #   The default options can be changed via method JSON.load_default_options=.
@@ -450,17 +591,17 @@ module JSON
   # <tt>parse(source, opts)</tt>;  see #parse.
   #
   # Source for following examples:
-  #   source = <<-EOT
-  #   {
-  #   "name": "Dave",
-  #     "age" :40,
-  #     "hats": [
-  #       "Cattleman's",
-  #       "Panama",
-  #       "Tophat"
-  #     ]
-  #   }
-  #   EOT
+  #   source = <<~JSON
+  #     {
+  #       "name": "Dave",
+  #       "age" :40,
+  #       "hats": [
+  #         "Cattleman's",
+  #         "Panama",
+  #         "Tophat"
+  #       ]
+  #     }
+  #   JSON
   #
   # Load a \String:
   #   ruby = JSON.load(source)

data/lib/json/ext/generator/state.rb

@@ -42,37 +42,7 @@ module JSON
               raise TypeError, "can't convert #{opts.class} into Hash"
             end
           end
-
-          opts.each do |key, value|
-            case key
-            when :indent
-              self.indent = value || ''
-            when :space
-              self.space = value || ''
-            when :space_before
-              self.space_before = value || ''
-            when :array_nl
-              self.array_nl = value || ''
-            when :object_nl
-              self.object_nl = value || ''
-            when :max_nesting
-              self.max_nesting = value || 0
-            when :depth
-              self.depth = value
-            when :buffer_initial_length
-              self.buffer_initial_length = value
-            when :allow_nan
-              self.allow_nan = value
-            when :ascii_only
-              self.ascii_only = value
-            when :script_safe, :escape_slash
-              self.script_safe = value
-            when :strict
-              self.strict = value
-            end
-          end
-
-          self
+          _configure(opts)
         end
 
         alias_method :merge, :configure

data/lib/json/ext.rb

@@ -8,14 +8,12 @@ module JSON
   module Ext
     if RUBY_ENGINE == 'truffleruby'
       require 'json/ext/parser'
-      require 'json/pure'
-      $DEBUG and warn "Using Ext extension for JSON parser and Pure library for JSON generator."
+      require 'json/truffle_ruby/generator'
       JSON.parser = Parser
-      JSON.generator = JSON::Pure::Generator
+      JSON.generator = ::JSON::TruffleRuby::Generator
     else
       require 'json/ext/parser'
       require 'json/ext/generator'
-      $DEBUG and warn "Using Ext extension for JSON."
       JSON.parser = Parser
       JSON.generator = Generator
     end