Parsing JSON with edge cases

The linked article shows that there are unclear parts in the JSON specification and that different parsers treat them differently (which could lead to security vulnerabilities in certain cases).

I was curious what Ruby does (Ruby 2.6.6 with gem json 2.3.0, implementing RFC 7159):

Duplicate Keys

irb(main):001:0> require 'json'
=> true
irb(main):002:0> JSON.parse('{"qty": 1, "qty": -1}')
=> {"qty"=>-1}

Character Collision

irb(main):009:0> JSON.parse('{"qty": 1, "qty\ud800": -1}')
JSON::ParserError (487: incomplete surrogate pair at 'qty\ud800": -1}')

irb(main):007:0> JSON.parse('{"qty": 1, "qty"": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "qty"": -1}')

This one was unexpected for me:

irb(main):008:0> JSON.parse('{"qty": 1, "qt\y": -1}')
=> {"qty"=>-1}

Comment Truncation

irb(main):010:0> JSON.parse('{"qty": 1, "extra": 1/*, "qty": -1, "extra2": 2*/}')
=> {"qty"=>1, "extra"=>1}

irb(main):011:0> JSON.parse('{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')

irb(main):012:0> JSON.parse('{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')

irb(main):013:0> JSON.parse('{"qty": 1, "extra": "a"//, "qty": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a"//, "qty": -1}')

Number Decoding

irb(main):014:0> JSON.parse('{"qty": 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

irb(main):015:0> JSON.parse('{"qty": -999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>-999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

irb(main):016:0> JSON.parse('{"qty": 1.0e4096}')
=> {"qty"=>Infinity}

irb(main):017:0> JSON.parse('{"qty": -1.0e4096}')
=> {"qty"=>-Infinity}
labs.bishopfox.com
Judith Roth
This website uses short-lived cookies to improve usability.
or learn more