Deprecate unsafe default options of `JSON.load`

[Feature #19528] Ref: https://bugs.ruby-lang.org/issues/19528 `load` is understood as the default method for serializer kind of libraries, and the default options of `JSON.load` has caused many security vulnerabilities over the years. The plan is to do like YAML/Psych, deprecate these default options and direct users toward using `JSON.unsafe_load` so at least it's obvious it should be used against untrusted data.
author: Jean Boussier <jean.boussier@gmail.com> 2024-10-24 16:51:25 +0200
committer: Hiroshi SHIBATA <hsbt@ruby-lang.org> 2024-11-01 13:04:24 +0900
commit: f2b8829df0092409c944aafeac03f72ab2a6e7ac (patch)
tree: 69914ee130dcb936246fcf7d48fe1711d954561c /test
parent: cc2e67a138d258290f727f5797bdc14fbc5a6e52 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/test/json/json_addition_test.rb b/test/json/json_addition_test.rb
index 8c3fbda56a..d78ae55c3c 100644
--- a/test/json/json_addition_test.rb
+++ b/test/json/json_addition_test.rb
@@ -162,6 +162,12 @@ class JSONAdditionTest < Test::Unit::TestCase
     assert_equal(/foo/i, JSON(JSON(/foo/i), :create_additions => true))
   end
 
+  def test_deprecated_load_create_additions
+    assert_warning(/use JSON\.unsafe_load/) do
+      JSON.load(JSON.dump(Time.now))
+    end
+  end
+
   def test_utc_datetime
     now = Time.now
     d = DateTime.parse(now.to_s) # usual case
author	Jean Boussier <jean.boussier@gmail.com>	2024-10-24 16:51:25 +0200
committer	Hiroshi SHIBATA <hsbt@ruby-lang.org>	2024-11-01 13:04:24 +0900
commit	f2b8829df0092409c944aafeac03f72ab2a6e7ac (patch)
tree	69914ee130dcb936246fcf7d48fe1711d954561c /test
parent	cc2e67a138d258290f727f5797bdc14fbc5a6e52 (diff)