Why JSON3.read is used both for file path and json string content, and blocks file after read?

[sairus7]

Because of this I get read error for any non-existent file, and maybe some incorrect behaviour for file names that match JSON

using JSON3
JSON3.read("123") # is it file or value? now its a value
open("123", "w") do io
    write(io, """
    {
        "some":"data"
    }
    """)
end
JSON3.read("123") # but now this is file
rm("123") # unlink("123"): permission denied (EACCES)

[0x0f0f0f]

@quinnj ping. This is actually a pretty bad security vulnerability. Imagine that we have a server and a client:

# Server

julia> using Oxygen, JSON3, HTTP

julia> # Define a POST route to read JSON data
       @post "/data" function(req::HTTP.Request)
           # Parse the request body as JSON
           json_data = JSON3.read(String(req.body))
           
           # Process the JSON data as needed
           println("Received JSON data:", json_data)
           
           # Return a simple response
           return Dict("status" => "success", "message" => json_data)
       end

julia> serve()

If we send

$ curl -X POST -H "Content-Type: application/json" -d '{"test": 123}' http://127.0.0.1:8080/data
{"status":"success","message":{"test":123}}

This is alright. If we have a file on the server called ~/sensitive.json which contains

{"super_secret_password": "abcdefg"}

We can send a request such that

$ curl -X POST -H "Content-Type: application/json" -d 'sensitive.json' http://127.0.0.1:8080/data
{"status":"success","message":{"super_secret_password":"abcdefg"}}

[0x0f0f0f]

See how this is done for TOML for example. It's either parsefile, tryparsefile or parse and tryparse. The decision of whether it's a file path or a TOML string is done by the caller!

[0x0f0f0f]

Same for YAML: https://github.com/JuliaData/YAML.jl/blob/master/src/YAML.jl

[0x0f0f0f]

Cross ref #95

The solutions could be many:

• Make two different functions, read_file and read. One reads a file and the other reads a string with the contents of the files, as TOML and YAML already do. Disallow reading from a file in read.
• Add a kwarg, readfile=false. Backwards compatible but not really the nicest.
• Leave read functionality as-is and add read_file and read_string.

[0x0f0f0f]

I'm happy to file a PR once we agree on a solution

[JeffBezanson]

👍 I agree file/string should be separate functions. An additional problem with this API is that when you do trimming, all the code for Mmap/files has to be included even if you aren't using files.

[JeffBezanson]

I think we should add parse and parsefile, since JSON3 doesn't yet use those names so it would be backwards compatible, and similar to what other packages do.