json
Advanced tools
+5
-0
@@ -5,2 +5,7 @@ # Changes | ||
| ### 2026-06-03 (2.19.8) | ||
| * Fix 1-byte buffer overread on EOS errors. | ||
| * Handle invalid types passed as `max_nesting` option. | ||
| ### 2026-05-28 (2.19.7) | ||
@@ -7,0 +12,0 @@ |
@@ -388,2 +388,9 @@ #include "../json.h" | ||
| { | ||
| JSON_ASSERT(state->cursor <= state->end); | ||
| // Redundant but helpful for hardening | ||
| if (RB_UNLIKELY(state->cursor > state->end)) { | ||
| state->cursor = state->end; | ||
| } | ||
| const char *cursor = state->cursor; | ||
@@ -1026,2 +1033,9 @@ long column = 0; | ||
| } | ||
| // If the string ended with an unterminated escape sequence, we might | ||
| // have gone past the end. | ||
| if (RB_UNLIKELY(state->cursor > state->end)) { | ||
| state->cursor = state->end; | ||
| } | ||
| return false; | ||
@@ -1028,0 +1042,0 @@ } |
@@ -310,2 +310,5 @@ # frozen_string_literal: true | ||
| elsif opts[:max_nesting] | ||
| unless opts[:max_nesting].is_a?(Integer) | ||
| raise TypeError, ":max_nesting must be an Integer, got: #{opts[:max_nesting].class}" | ||
| end | ||
| @max_nesting = opts[:max_nesting] | ||
@@ -312,0 +315,0 @@ else |
| # frozen_string_literal: true | ||
| module JSON | ||
| VERSION = '2.19.7' | ||
| VERSION = '2.19.8' | ||
| end |
+11
-0
@@ -252,2 +252,13 @@ # JSON implementation for Ruby | ||
| ## Security | ||
| When parsing or serializing untrusted input, parser and generator options should never be user controlled. | ||
| ```ruby | ||
| # Dangerous, DO NOT DO THIS. | ||
| JSON.generate(params[:data], params[:options]) | ||
| ``` | ||
| Security vulnerability reports relying on attacker controlled parsing or generator options will be handled as regular bug fixes. | ||
| ## Development | ||
@@ -254,0 +265,0 @@ |
Sorry, the diff of this file is too big to display