feat: 🎸 Add parse_UNSAFE, which does not parse functions by default

Author: haozi

README.md

@@ -49,15 +49,19 @@ const restored = jsonWeb3.parse(text)
     headers: Map(1) {...},
     re: /([^\s]+)/g,
     url: URL(...),
-    fn: [Function: echo]
+    fn: { "__@json.function__": "function echo(arg) { return arg }" }
   }
 */
+
+const restoredUnsafe = jsonWeb3.parse_UNSAFE(text)
+// restoredUnsafe.fn is a callable function
 ```
 
 ## API (Fully compatible with native globalThis.JSON)
 
 - `stringify(value, replacer?, space?)`
 - `parse(text, reviver?)`
+- `parse_UNSAFE(text, reviver?)` (revives `Function` payloads via `new Function(...)`)
 
 ## Note
 
@@ -67,7 +71,7 @@ const restored = jsonWeb3.parse(text)
 - `Map` values are encoded as `{"__@json.map__":[[k,v],...]}` and `Set` values as `{"__@json.set__":[...]}`.
 - `RegExp` values are encoded as `{"__@json.regexp__":{"source":"...","flags":"..."}}`.
 - `URL` values are encoded as `{"__@json.url__":"..."}`.
-- `Function` values are encoded as `{"__@json.function__":"<source>"}` and revived with `new Function(...)` (only do this with trusted input).
+- `Function` values are encoded as `{"__@json.function__":"<source>"}` and are only revived by `parse_UNSAFE` using `new Function(...)` (only do this with trusted input).
 - `ArrayBuffer`, Node `Buffer` JSON shapes, and typed arrays are encoded as `{"__@json.typedarray__":{"type":"<Name>","bytes":"0x..."}}` and decoded back to the original typed array (`Uint8Array`, `Uint8ClampedArray`, `Uint16Array`, `Uint32Array`, `Int8Array`, `Int16Array`, `Int32Array`, `Float32Array`, `Float64Array`, `BigInt64Array`, `BigUint64Array`).
 
 Compared to libraries that require eval-based parsing (for example, `serialize-javascript`), this approach is generally safer and more efficient.

src/index.ts

@@ -64,7 +64,14 @@ export const parse = <T = any>(text: string, reviver: Reviver = null): T =>
     return isFunction(reviver) ? reviver(key, decoded) : decoded
   })
 
+export const parse_UNSAFE = <T = any>(text: string, reviver: Reviver = null): T =>
+  RAW_JSON.parse(text, (key, v) => {
+    const decoded = fromSerializable(v, { allowFunction: true })
+    return isFunction(reviver) ? reviver(key, decoded) : decoded
+  })
+
 export default {
   stringify,
   parse,
+  parse_UNSAFE,
 }

src/utils.ts

@@ -149,7 +149,7 @@ export const toSerializable = (value: any): any => {
   return value
 }
 
-export const fromSerializable = (value: any): any => {
+export const fromSerializable = (value: any, options: { allowFunction?: boolean } = {}): any => {
   if (value && isObject(value)) {
     if (hasOwnProperty(value, BIGINT_TAG)) {
       return BigInt(value[BIGINT_TAG])
@@ -193,6 +193,9 @@ export const fromSerializable = (value: any): any => {
       return new URL(payload)
     }
     if (hasOwnProperty(value, FUNCTION_TAG)) {
+      if (!options.allowFunction) {
+        return value
+      }
       const payload = value[FUNCTION_TAG]
       if (!isString(payload)) {
         throw new Error('Invalid function payload')

test/index.test.ts

@@ -1,6 +1,6 @@
 import { Script, createContext } from 'node:vm'
 import { describe, expect, it } from 'vitest'
-import jsonWeb3, { parse, stringify } from '../src/index'
+import jsonWeb3, { parse, parse_UNSAFE, stringify } from '../src/index'
 import { getTypedArrayName, isBuffer } from '../src/utils'
 
 describe('json-web3', () => {
@@ -176,7 +176,7 @@ describe('json-web3', () => {
     expect(output.d.getTime()).toBe(d.getTime())
   })
 
-  it('round-trips Map, Set, RegExp, URL, and Function', () => {
+  it('round-trips Map, Set, RegExp, URL, and Function with parse_UNSAFE', () => {
     function echo(arg: string) {
       return arg
     }
@@ -188,7 +188,7 @@ describe('json-web3', () => {
       fn: echo,
     }
     const text = stringify(input)
-    const output = parse(text)
+    const output = parse_UNSAFE(text)
 
     expect(output.map).toBeInstanceOf(Map)
     expect(Array.from(output.map.entries())).toEqual([['hello', 'world']])
@@ -237,7 +237,7 @@ describe('json-web3', () => {
       fn: (arg: string) => arg,
     }
     const text = stringify(input, ['d', 'inf', 'map', 'set', 're', 'url', 'fn'])
-    const output = parse(text)
+    const output = parse_UNSAFE(text)
 
     expect(output.d).toBeInstanceOf(Date)
     expect(output.d.getTime()).toBe(input.d.getTime())
@@ -279,21 +279,25 @@ describe('json-web3', () => {
     expect(() => parse(bad)).toThrowError(/Invalid hex string for bytes/)
   })
 
-  it('parse throws on invalid payloads for new types', () => {
+  it('parse throws on invalid payloads for new types (except function)', () => {
     const cases = [
       '{"x":{"__@json.number__":"bad"}}',
       '{"x":{"__@json.map__":123}}',
       '{"x":{"__@json.set__":123}}',
       '{"x":{"__@json.regexp__":{"source":1,"flags":[]}}}',
       '{"x":{"__@json.url__":123}}',
-      '{"x":{"__@json.function__":123}}',
     ]
 
     for (const text of cases) {
       expect(() => parse(text)).toThrowError()
     }
   })
 
+  it('parse_UNSAFE throws on invalid function payloads', () => {
+    const text = '{"x":{"__@json.function__":123}}'
+    expect(() => parse_UNSAFE(text)).toThrowError()
+  })
+
   it('falls back to raw bytes when typed array type is unknown', () => {
     const text = '{"__@json.typedarray__":{"type":"UnknownArray","bytes":"0x01"}}'
     const output = parse(text)
@@ -411,17 +415,25 @@ describe('json-web3', () => {
     expect(output.bytes[256]).toBe(0)
   })
 
-  it('symbol is dropped while function is preserved', () => {
+  it('symbol is dropped while function is preserved with parse_UNSAFE', () => {
     const sym = Symbol('x')
     const input: any = { a: 1, s: sym, f: (arg: string) => arg }
     const text = stringify(input)
-    const output = parse(text)
+    const output = parse_UNSAFE(text)
     expect(output.a).toBe(1)
     expect(output.s).toBeUndefined()
     expect(typeof output.f).toBe('function')
     expect(output.f('ok')).toBe('ok')
   })
 
+  it('parse keeps function payloads as tagged objects', () => {
+    const input = { fn: (arg: string) => arg }
+    const text = stringify(input)
+    const output = parse(text)
+
+    expect(output.fn).toEqual({ '__@json.function__': expect.any(String) })
+  })
+
   it('BigInt in array with replacer array filtering works as expected', () => {
     const input = { list: [1n, 2n], other: 3n }
     const text = stringify(input, ['list'])

test/test.ts

@@ -17,5 +17,5 @@ const payload = {
 
 const text = jsonWeb3.stringify(payload, null, 2)
 console.log('text', text)
-const restored = jsonWeb3.parse(text)
+const restored = jsonWeb3.parse_UNSAFE(text)
 console.log('restored', restored)