billdavidson / jsonutil Goto Github PK

View Code? Open in Web Editor NEW

55.0 55.0 38.0 5.94 MB

JSON generation and parsing utility library for Java.

Home Page: http://kopitubruk.org/JSONUtil/

Java 99.99% JavaScript 0.01%

jsonutil's People

Contributors

Stargazers

Watchers

Forkers

mathewdenis dongyuelsqm sky-dream oluotes brian-cunnane evelyndowdy 06094051 kiziothuon nevernester schranzbulkgh liyanyang0316 danyalsaif fuhero refinedme adminbase garlington 18126856901 njustfengkj zhuguolong comeonli bradparks ashishnamdev jin-xinchen dyb10101 wtcharm jueeee zigapeda stephen176 florin-postelnicu elecqqq carol8421 greg701 zerozill vaibhavpathak98915 294491658 matthelonianxl gilad-z alex10099

jsonutil's Issues

java.util.IllegalFormatConversionException in JSONParserException.internalGetMessage

The order of arguments to format() does not match the order in the resource bundle for "unrecognizedData".

Exception in thread "main" java.util.IllegalFormatConversionException: d != java.lang.String
at java.util.Formatter$FormatSpecifier.failConversion(Unknown Source)
at java.util.Formatter$FormatSpecifier.printInteger(Unknown Source)
at java.util.Formatter$FormatSpecifier.print(Unknown Source)
at java.util.Formatter.format(Unknown Source)
at java.util.Formatter.format(Unknown Source)
at java.lang.String.format(Unknown Source)
at org.kopitubruk.util.json.JSONParserException.internalGetMessage(JSONParserException.java:133)
at org.kopitubruk.util.json.JSONException.getLocalizedMessage(JSONException.java:80)

Wrong handling of backslash in string values

Backslashes in string values of a map (e.g. a Windows path) are not correctly escaped if the backslash together with the next char might be an escape sequence.. Example:
map.put( "path", "c:\temp\next\path\realdummy.doc" );
is serialized as
{"path":"c:\temp\next\path\realdummy.doc"}
and after parsing it is printed as
"c: emp
ext\path
ealdummy.doc"

Tested with JSONUtil 1.7.,1 (Java7). See attachment for complete example
JSONTest.zip

Expected: The string value must be returned unchanged.
If it is not possible to change the behavior due to compatibility issues, I would suggest to add a config setting for this.

Stack overflow error caused by jsonutil parsing of untrusted JSON String

Description

Using jsonutil to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at net.pwall.util.ParseText.skipSpaces(ParseText.java:1072)
	at net.pwall.json.JSON.parse(JSON.java:535)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)
	at net.pwall.json.JSON.parse(JSON.java:567)

PoC

        <dependency>
            <groupId>net.pwall.json</groupId>
            <artifactId>jsonutil</artifactId>
            <version>5.0</version>
        </dependency>

import net.pwall.json.JSON;

public class PoC {

    public final static int TOO_DEEP_NESTING = 9999;
    public final static String TOO_DEEP_DOC = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "0");


    public static String _nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        sb.append("\n").append(content).append("\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        return sb.toString();
    }

    public static void main(String[] args) {
        String jsonString = TOO_DEEP_DOC;
        JSON.parse(jsonString);
    }
}

Rectification Solution

Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

Support of JavaScript comments

It would be nice to have support for JavaScript comments in the JSON parser. It is outside the JSON specification, but could be triggered with an additional parser option.

NullPointerException if IndentPadding is used and a value is null

java.lang.NullPointerException
at org.kopitubruk.util.json.JSONUtil.isRecursible(JSONUtil.java:396)
at org.kopitubruk.util.json.JSONUtil.appendObjectPropertyValue(JSONUtil.java:453)
at org.kopitubruk.util.json.JSONUtil.appendRecursiblePropertyValue(JSONUtil.java:422)
at org.kopitubruk.util.json.JSONUtil.appendPropertyValue(JSONUtil.java:382)

isRecursible should just return false if the value is null

JSON parsing fails if the JSON string contains newlines (\n)

JSON parsing fails if the JSON string contains newlines (\r or \n) or tabs (\t) as whitespace, which is allowed according to RFC 4627.
The reason is probably line 462 in JSONParser:
while ((codePoint >= 0) && (Character.isSpaceChar(codePoint)))
I think this should be Character.isWhitespace(codePoint).

The LINE_SEPARATOR mentioned in javadoc of isSpaceChar is not one of the usual ones, but \u2028.

JSONUtil generates invalid JSON

We have to read and write the following JSON snippet from a real world REST service (IBM cloud):

{
	"k:{\"foo\":\"bar\"}": {
		".": {},
		"f:x": {}
	}
}

We do not validate the property names, because the names often contain white spaces or dots and the JSON spec does not require the property names to be valid identifiers. However, if we read this snippet and write it again, the resulting JSON is invalid, because the quotes in the property name are no longer escaped:

JSONConfig config = new JSONConfig();
config.setValidatePropertyNames(false);
Object map = JSONParser.parseJSON(jsonIn, config);
String jsonOut = JSONUtil.toJSON(map, config);

jsonOut is now:

{
	"k:{"foo":"bar"}": {
		".": {},
		"f:x": {}
	}
}

Even if JSONUtil does not validate the property name, it should nevertheless generate a valid JSON label and escape embedded quotes.

parse error for float arrays

Example: Parsing of [1.1,2.2,-3.134598765,4.0] results in JSONParseException "Unrecognized data starting with: [1.1,2.2,-3.134598765,4.0] and the error marker pointing to the '.' in 4.0.
The reason seems to be in JAVASCRIPT_FLOATING_POINT_PAT, it does not accept ']' as terminator for a number, only comma and whitespace.

I think the last group of the pattern should be "([,\s]}]|$)" instead of "([,\s}]|$)"