Use create_additions: false in Grape::Json.load (#2759)

dblock · Copilot · web-flow · commit 0f9f44f4f071 · 2026-06-10T23:09:34.000+02:00
When MultiJson is not available, Grape::Json falls back to stdlib JSON.
JSON.load honours the json_class key by calling json_create on the named
class, allowing a remote caller to instantiate arbitrary Ruby objects
already loaded in the process. Pass create_additions: false to disable
this behaviour.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -72,6 +72,7 @@
 * [#2703](https://github.com/ruby-grape/grape/pull/2703): Catch exceptions raised inside `rescue_from` blocks; new `rescue_from :internal_grape_exceptions` opt-in for unrecognised internal errors (resolves [#2482](https://github.com/ruby-grape/grape/issues/2482)) - [@ericproulx](https://github.com/ericproulx).
 * [#2706](https://github.com/ruby-grape/grape/pull/2706): Fix `optional :foo, message: 'oops'` raising `UnknownValidator` - [@ericproulx](https://github.com/ericproulx).
 * [#2751](https://github.com/ruby-grape/grape/pull/2751): Fix structured error messages leaking the raw i18n key for an undefined optional step such as `summary` (closes #2748) - [@ericproulx](https://github.com/ericproulx).
+* [#2759](https://github.com/ruby-grape/grape/pull/2759): Use `create_additions: false` in `Grape::Json.load` to prevent object instantiation via the `json_class` key when using the stdlib JSON fallback - [@dblock](https://github.com/dblock).
 * Your contribution here.
 
 ### 3.2.1 (2026-04-16)
diff --git a/lib/grape/json.rb b/lib/grape/json.rb
@@ -4,7 +4,16 @@ module Grape
   if defined?(::MultiJson)
     Json = ::MultiJson
   else
-    Json = ::JSON
-    Json::ParseError = Json::ParserError
+    module Json
+      ParseError = ::JSON::ParserError
+
+      def self.load(str)
+        ::JSON.load(str, nil, create_additions: false)
+      end
+
+      def self.dump(obj, *)
+        ::JSON.dump(obj, *)
+      end
+    end
   end
 end
diff --git a/spec/grape/parser/json_spec.rb b/spec/grape/parser/json_spec.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+describe Grape::Parser::Json, if: !defined?(MultiJson) do
+  include Rack::Test::Methods
+
+  let(:app) do
+    Class.new(Grape::API) do
+      format :json
+
+      post '/data' do
+        params.to_h
+      end
+    end
+  end
+
+  # Verify that json_class payloads are treated as plain data and do not
+  # trigger Ruby object instantiation via JSON.load's create_additions mechanism.
+  context 'when the request body contains a json_class key' do
+    let(:triggered) { [] }
+
+    before do
+      t = triggered
+      stub_const('JsonClassTarget', Class.new do
+        define_singleton_method(:json_create) do |_data|
+          t << true
+          new
+        end
+      end)
+    end
+
+    it 'does not instantiate the named class' do
+      body = JSON.dump('json_class' => 'JsonClassTarget', 'data' => { 'x' => 1 })
+      post '/data', body, 'CONTENT_TYPE' => 'application/json'
+
+      expect(triggered).to be_empty
+    end
+
+    it 'returns the payload as a plain hash' do
+      body = JSON.dump('json_class' => 'JsonClassTarget', 'data' => { 'x' => 1 })
+      post '/data', body, 'CONTENT_TYPE' => 'application/json'
+
+      expect(last_response.status).to eq(201)
+      parsed = JSON.parse(last_response.body)
+      expect(parsed['json_class']).to eq('JsonClassTarget')
+    end
+  end
+end
