Consider returning an error on duplicate keys by default

[vks]

Parsing duplicate JSON keys (as in {"qty": 1, "qty": -1}) can be dangerous if the parsing behavior is inconsistent. (See here for a detailed discussion.) Some parsers will give for {"qty": 1, "qty": -1} the same result as for {"qty": -1} (i.e. serde_json's current behavior), others will give the same result as for {"qty": 1}. For some applications, this inconsistency may be exploited by attackers.

Therefore, it may be more prudent for serde_json to return an error for duplicate keys by default.

[dtolnay]

I think I'd prefer to stick with the current behavior. Someone who needs the other behavior can use their own Map type or Value enum with a Deserialize impl which behaves that way.

[thomassa]

The error would be the fail-safe behaviour, so a better default.
Or have no default, and make the user choose explicitly.
In any case, for now the serde_with crate can be used to get the chosen behaviour:

• https://crates.io/crates/serde_with
• https://docs.rs/serde_with/3.6.1/serde_with/rust/maps_duplicate_key_is_error/index.html
• https://docs.rs/serde_with/3.6.1/serde_with/struct.MapPreventDuplicates.html