From a7e173a61da0a621641155651cb0afd3d99c56a5 Mon Sep 17 00:00:00 2001
From: Yusuke Endoh <mame@ruby-lang.org>
Date: Fri, 19 Jun 2026 03:39:35 +0900
Subject: [PATCH] Document that JSON::ResumableParser does not bound its buffer
 size

An incomplete document is buffered in full with no size limit, so reading from an
untrusted source can grow memory without bound. Note in the rdoc that bounding the
input is the caller's responsibility.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 ext/json/ext/parser/parser.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ext/json/ext/parser/parser.c b/ext/json/ext/parser/parser.c
index 136aab6a..076287fd 100644
--- a/ext/json/ext/parser/parser.c
+++ b/ext/json/ext/parser/parser.c
@@ -2261,6 +2261,11 @@ static inline JSON_ResumableParser *cResumableParser_get(VALUE self)
  *   parser << ' '
  *   parser.parse # => true
  *   parser.value # => 123
+ *
+ * === Security
+ *
+ * An incomplete document is buffered in full and there is no size limit, so when reading
+ * from an untrusted source the caller is responsible for bounding how much data is fed.
  */
 static VALUE cResumableParser_initialize(int argc, VALUE *argv, VALUE self)
 {