From 2a22aefa1f7befb0ac7a95c918b75b05919c1907 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Thu, 26 Jun 2025 12:19:23 -0700 Subject: encoding/json: add security section to doc Add a section to the package doc which details the security considerations of using encoding/json, in particular with respect to parser misalignment issues. Additionally, clarify previously ambiguous statement in the Unmarshal doc about how case is used when matching keys in objects, and add a note about how duplicate keys are handled. Fixes #14750 Change-Id: I66f9b845efd98c86a684d7333b3aa8a456564922 Reviewed-on: https://go-review.googlesource.com/c/go/+/684315 LUCI-TryBot-Result: Go LUCI Reviewed-by: Joseph Tsai Auto-Submit: Roland Shoemaker Reviewed-by: Damien Neil --- src/encoding/json/decode.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'src/encoding/json/decode.go') diff --git a/src/encoding/json/decode.go b/src/encoding/json/decode.go index 4e195e0948..70885a517e 100644 --- a/src/encoding/json/decode.go +++ b/src/encoding/json/decode.go @@ -43,11 +43,14 @@ import ( // and the input is a JSON quoted string, Unmarshal calls // [encoding.TextUnmarshaler.UnmarshalText] with the unquoted form of the string. // -// To unmarshal JSON into a struct, Unmarshal matches incoming object -// keys to the keys used by [Marshal] (either the struct field name or its tag), -// preferring an exact match but also accepting a case-insensitive match. By -// default, object keys which don't have a corresponding struct field are -// ignored (see [Decoder.DisallowUnknownFields] for an alternative). +// To unmarshal JSON into a struct, Unmarshal matches incoming object keys to +// the keys used by [Marshal] (either the struct field name or its tag), +// ignoring case. If multiple struct fields match an object key, an exact case +// match is preferred over a case-insensitive one. +// +// Incoming object members are processed in the order observed. If an object +// includes duplicate keys, later duplicates will replace or be merged into +// prior values. // // To unmarshal JSON into an interface value, // Unmarshal stores one of these in the interface value: -- cgit v1.3