diff --git a/README.md b/README.md
index f289872a..b7cc0fbc 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,9 @@
# Changelog
+### *V 2.3.1*
+* Fixes [issue #60](https://github.com/netplex/json-smart-v2/issues/60) (CVE-2021-27568)
+
### *V 2.3*
* Patch 37 [issue 37](http://code.google.com/p/json-smart/issues/detail?id=37)
* explicite support of char 127 [issue 18](http://code.google.com/p/json-smart/issues/detail?id=18)
diff --git a/accessors-smart/pom.xml b/accessors-smart/pom.xml
index a1eb998e..55c2af42 100644
--- a/accessors-smart/pom.xml
+++ b/accessors-smart/pom.xml
@@ -3,22 +3,22 @@
4.0.0
net.minidev
accessors-smart
- 1.2-SNAPSHOT
+ 2.3.1
ASM based accessors helper used by json-smart
Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls.
bundle
- http://www.minidev.net/
+ https://urielch.github.io/
Chemouni Uriel
- http://www.minidev.net/
+ https://urielch.github.io/
uriel
Uriel Chemouni
uchemouni@gmail.com
- GMT-7
+ GMT+3
@@ -33,8 +33,8 @@
UTF-8
- 1.5
- 1.5
+ 1.8
+ 1.8
@@ -51,7 +51,7 @@
-
+
+
+ 53BE126D
+
@@ -196,8 +200,8 @@
3.3
UTF-8
- 1.6
- 1.6
+ ${maven.compiler.source}
+ ${maven.compiler.target}
**/.svn/*
**/.svn
@@ -229,7 +233,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 2.10.3
+ 2.10.4
false
@@ -247,7 +251,7 @@
org.apache.felix
maven-bundle-plugin
- 3.3.0
+ 3.5.1
true
diff --git a/json-smart-action/pom.xml b/json-smart-action/pom.xml
index e9ea3a3a..c032627b 100644
--- a/json-smart-action/pom.xml
+++ b/json-smart-action/pom.xml
@@ -3,26 +3,26 @@
net.minidev
minidev-parent
- 2.3-SNAPSHOT
+ 2.3.1
4.0.0
json-smart-action
- JSON Small and Fast Parser
+ JSON-smart-action Small and Fast Parser
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
bundle
- http://www.minidev.net/
+ https://urielch.github.io/
Chemouni Uriel
- http://www.minidev.net/
+ https://urielch.github.io/
uriel
Uriel Chemouni
uchemouni@gmail.com
- GMT-7
+ GMT+3
@@ -43,8 +43,8 @@
UTF-8
- 1.5
- 1.5
+ 1.8
+ 1.8
@@ -85,7 +85,9 @@
- 2C8DF6EC
+
+
+ 53BE126D
@@ -190,8 +192,8 @@
3.3
UTF-8
- 1.6
- 1.6
+ ${maven.compiler.source}
+ ${maven.compiler.target}
**/.svn/*
**/.svn
@@ -223,7 +225,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 2.10.3
+ 2.10.4
false
@@ -241,7 +243,7 @@
org.apache.felix
maven-bundle-plugin
- 3.0.0
+ 3.5.1
true
diff --git a/json-smart/pom.xml b/json-smart/pom.xml
index 163e3ce0..89c43c44 100644
--- a/json-smart/pom.xml
+++ b/json-smart/pom.xml
@@ -3,7 +3,7 @@
net.minidev
minidev-parent
- 2.3-SNAPSHOT
+ 2.3.1
4.0.0
@@ -13,17 +13,17 @@
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
bundle
- http://www.minidev.net/
+ https://urielch.github.io/
Chemouni Uriel
- http://www.minidev.net/
+ https://urielch.github.io/
uriel
Uriel Chemouni
uchemouni@gmail.com
- GMT-7
+ GMT+3
@@ -44,8 +44,8 @@
UTF-8
- 1.5
- 1.5
+ 1.8
+ 1.8
@@ -56,7 +56,7 @@
net.minidev
accessors-smart
- 1.2-SNAPSHOT
+ 2.3.1
@@ -87,7 +87,9 @@
- 2C8DF6EC
+
+
+ 53BE126D
@@ -122,8 +124,10 @@
+
org.apache.maven.plugins
maven-javadoc-plugin
+ 3.2.0
attach-javadocs
@@ -140,7 +144,7 @@
org.apache.maven.plugins
maven-release-plugin
- 2.5.2
+ 2.5.3
forked-path
-Psonatype-oss-release
@@ -172,10 +176,10 @@
-
+
org.apache.maven.plugins
maven-source-plugin
- 2.4
+ 3.2.1
bind-sources
@@ -186,14 +190,14 @@
-
+
org.apache.maven.plugins
maven-compiler-plugin
- 3.3
+ 3.8.1
UTF-8
- 1.6
- 1.6
+ ${maven.compiler.source}
+ ${maven.compiler.target}
**/.svn/*
**/.svn
@@ -201,19 +205,19 @@
-
+
org.apache.maven.plugins
maven-resources-plugin
- 2.7
+ 3.2.0
UTF-8
-
+
org.apache.maven.plugins
maven-jar-plugin
- 2.6
+ 3.2.0
**/.svn/*
@@ -222,10 +226,10 @@
-
+
org.apache.maven.plugins
maven-javadoc-plugin
- 2.10.3
+ 3.2.0
false
@@ -241,9 +245,10 @@
+
org.apache.felix
maven-bundle-plugin
- 3.3.0
+ 5.1.2
true
diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
index a5dd024c..f3b6614d 100644
--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
+++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
@@ -139,11 +139,15 @@ public void checkLeadinZero() throws ParseException {
protected Number extractFloat() throws ParseException {
if (!acceptLeadinZero)
checkLeadinZero();
- if (!useHiPrecisionFloat)
- return Float.parseFloat(xs);
- if (xs.length() > 18) // follow JSonIJ parsing method
- return new BigDecimal(xs);
- return Double.parseDouble(xs);
+ try {
+ if (!useHiPrecisionFloat)
+ return Float.parseFloat(xs);
+ if (xs.length() > 18) // follow JSonIJ parsing method
+ return new BigDecimal(xs);
+ return Double.parseDouble(xs);
+ } catch (NumberFormatException e) {
+ throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs);
+ }
}
/**
diff --git a/json-smart/src/test/java/net/minidev/json/test/TestFloat.java b/json-smart/src/test/java/net/minidev/json/test/TestFloat.java
index 5f1692bc..5387ddb6 100644
--- a/json-smart/src/test/java/net/minidev/json/test/TestFloat.java
+++ b/json-smart/src/test/java/net/minidev/json/test/TestFloat.java
@@ -4,6 +4,7 @@
import net.minidev.json.JSONObject;
import net.minidev.json.JSONStyle;
import net.minidev.json.parser.JSONParser;
+import net.minidev.json.parser.ParseException;
public class TestFloat extends TestCase {
public static String[] TRUE_NUMBERS = new String[] { "1.0", "123.456", "1.0E1", "123.456E12", "1.0E+1",
@@ -13,6 +14,8 @@ public class TestFloat extends TestCase {
public static String[] FALSE_NUMBERS = new String[] { "1.0%", "123.45.6", "1.0E", "++123.456E12", "+-01",
"1.0E+1.2" };
+ public static String[] INVALID_NUMBERS = new String[] {"-.", "2e+", "[45e-"};
+
public void testFloat() throws Exception {
JSONParser p = new JSONParser(JSONParser.MODE_PERMISSIVE);
for (String s : TRUE_NUMBERS) {
@@ -35,6 +38,20 @@ public void testNonFloat() throws Exception {
assertEquals("Should be re serialized as", correct, obj.toJSONString());
}
}
+
+ public void testInvalidNumbers() {
+ JSONParser p = new JSONParser(JSONParser.MODE_PERMISSIVE);
+ for (String s : INVALID_NUMBERS) {
+ String json = "{v:" + s + "}";
+ try {
+ p.parse(json);
+ fail("Expected exception was not thrown.");
+ } catch (ParseException e) {
+ // everything is fine, we expected ParseException
+ }
+ }
+ }
+
/**
* Error reported in issue 44
*/
diff --git a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java
index b3576ef2..28fd984b 100644
--- a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java
+++ b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java
@@ -1,54 +1,79 @@
package net.minidev.json.test;
-import java.io.ByteArrayInputStream;
-import java.io.StringReader;
-
import junit.framework.TestCase;
import net.minidev.json.JSONObject;
import net.minidev.json.JSONValue;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import java.io.ByteArrayInputStream;
+import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+@RunWith(Parameterized.class)
public class TestUtf8 extends TestCase {
- // Sinhalese language
- static String[] nonLatinTexts = new String[] { "සිංහල ජාතිය", "日本語", "Русский", "فارسی", "한국어", "Հայերեն", "हिन्दी", "עברית", "中文", "አማርኛ", "മലയാളം",
- "ܐܬܘܪܝܐ", "მარგალური" };
-
- public void testString() throws Exception {
- for (String nonLatinText : nonLatinTexts) {
- String s = "{\"key\":\"" + nonLatinText + "\"}";
- JSONObject obj = (JSONObject) JSONValue.parse(s);
- String v = (String) obj.get("key"); // result is incorrect
- assertEquals(v, nonLatinText);
- }
- }
-
- public void testReader() throws Exception {
- for (String nonLatinText : nonLatinTexts) {
- String s = "{\"key\":\"" + nonLatinText + "\"}";
- StringReader reader = new StringReader(s);
- JSONObject obj = (JSONObject) JSONValue.parse(reader);
-
- String v = (String) obj.get("key"); // result is incorrect
- assertEquals(v, nonLatinText);
- }
- }
-
- public void testInputStream() throws Exception {
- for (String nonLatinText : nonLatinTexts) {
- String s = "{\"key\":\"" + nonLatinText + "\"}";
- ByteArrayInputStream bis = new ByteArrayInputStream(s.getBytes("utf8"));
- JSONObject obj = (JSONObject) JSONValue.parse(bis);
- String v = (String) obj.get("key"); // result is incorrect
- assertEquals(v, nonLatinText);
- }
- }
-
- public void testBytes() throws Exception {
- for (String nonLatinText : nonLatinTexts) {
- String s = "{\"key\":\"" + nonLatinText + "\"}";
- byte[] bs = s.getBytes("utf8");
- JSONObject obj = (JSONObject) JSONValue.parse(bs);
- String v = (String) obj.get("key"); // result is incorrect
- assertEquals(v, nonLatinText);
- }
- }
+
+ @Parameterized.Parameter(0)
+ public String language;
+
+ @Parameterized.Parameter(1)
+ public String nonLatinText;
+
+ @Parameterized.Parameters(name = "{index}: language=''{0}'', text=''{1}''")
+ public static Collection nonLatinTexts() {
+ List nonLatinTexts = new ArrayList();
+ nonLatinTexts.add(new Object[]{"Sinhala", "සිංහල ජාතිය"});
+ nonLatinTexts.add(new Object[]{"Japanese", "日本語"});
+ nonLatinTexts.add(new Object[]{"Russian", "Русский"});
+ nonLatinTexts.add(new Object[]{"Farsi", "فارسی"});
+ nonLatinTexts.add(new Object[]{"Korean", "한국어"});
+ nonLatinTexts.add(new Object[]{"Armenian", "Հայերեն"});
+ nonLatinTexts.add(new Object[]{"Hindi", "हिन्दी"});
+ nonLatinTexts.add(new Object[]{"Hebrew", "עברית"});
+ nonLatinTexts.add(new Object[]{"Chinese", "中文"});
+ nonLatinTexts.add(new Object[]{"Amharic", "አማርኛ"});
+ nonLatinTexts.add(new Object[]{"Malayalam", "മലയാളം"});
+ nonLatinTexts.add(new Object[]{"Assyrian Neo-Aramaic", "ܐܬܘܪܝܐ"});
+ nonLatinTexts.add(new Object[]{"Georgian", "მარგალური"});
+ nonLatinTexts.add(new Object[]{"Emojis", "🐶🐱🐭🐹🐰🦊🐻🐼🐻❄🐨🐯🦁🐮🐷🐽🐸🐵🙈🙉🙊🐒🐔🐧🐦🐤🐣🐥🦆🦅🦉🦇🐺🐗🐴🦄🐝🐛"});
+ return nonLatinTexts;
+ }
+
+ @Test
+ public void testString() {
+ String s = "{\"key\":\"" + nonLatinText + "\"}";
+ JSONObject obj = (JSONObject) JSONValue.parse(s);
+ String actual = (String) obj.get("key");
+ assertEquals("Parsing String " + language + " text", nonLatinText, actual);
+ }
+
+ @Test
+ public void testReader() {
+ String s = "{\"key\":\"" + nonLatinText + "\"}";
+ StringReader reader = new StringReader(s);
+ JSONObject obj = (JSONObject) JSONValue.parse(reader);
+ String actual = (String) obj.get("key");
+ assertEquals("Parsing StringReader " + language + " text", nonLatinText, actual);
+ }
+
+ @Test
+ public void testInputStream() throws Exception {
+ String s = "{\"key\":\"" + nonLatinText + "\"}";
+ ByteArrayInputStream bis = new ByteArrayInputStream(s.getBytes("utf8"));
+ JSONObject obj = (JSONObject) JSONValue.parse(bis);
+ String actual = (String) obj.get("key");
+ assertEquals("Parsing ByteArrayInputStream " + language + " text", nonLatinText, actual);
+ }
+
+ @Test
+ public void testBytes() throws Exception {
+ String s = "{\"key\":\"" + nonLatinText + "\"}";
+ byte[] bs = s.getBytes("utf8");
+ JSONObject obj = (JSONObject) JSONValue.parse(bs);
+ String actual = (String) obj.get("key");
+ assertEquals("Parsing bytes[] " + language + " text", nonLatinText, actual);
+ }
}
diff --git a/pom.xml b/pom.xml
index f15528f6..9bf57162 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,15 +3,15 @@
4.0.0
net.minidev
minidev-parent
- 2.3-SNAPSHOT
+ 2.3.1
Minidev super pom
minidev common properties.
pom
- http://www.minidev.net/
+ https://urielch.github.io/
Chemouni Uriel
- http://www.minidev.net/
+ https://urielch.github.io/
@@ -19,7 +19,7 @@
uriel
Uriel Chemouni
uchemouni@gmail.com
- GMT-7
+ GMT+3
@@ -36,16 +36,16 @@
UTF-8
- 1.5
- 1.5
+ 1.8
+ 1.8
-
+
org.apache.maven.plugins
maven-source-plugin
- 2.4
+ 3.2.1
bind-sources
@@ -56,46 +56,38 @@
-
+
org.apache.maven.plugins
maven-compiler-plugin
- 3.3
+ 3.8.1
UTF-8
- 1.6
- 1.6
-
- **/.svn/*
- **/.svn
-
+ ${maven.compiler.source}
+ ${maven.compiler.target}
-
+
org.apache.maven.plugins
maven-resources-plugin
- 2.7
+ 3.2.0
UTF-8
-
+
org.apache.maven.plugins
maven-jar-plugin
- 2.6
+ 3.2.0
-
- **/.svn/*
- **/.svn
-
-
+
org.apache.maven.plugins
maven-javadoc-plugin
- 2.10.3
+ 3.2.0
false
@@ -114,7 +106,6 @@
-
scm:git:https://github.com/netplex/json-smart-v2.git
scm:git:https://github.com/netplex/json-smart-v2.git
https://github.com/netplex/json-smart-v2
@@ -122,10 +113,10 @@
-
+
org.apache.maven.plugins
maven-checkstyle-plugin
- 2.17
+ 3.1.2
google_checks.xml
@@ -134,9 +125,9 @@
- accessors-smart
- json-smart-action
- json-smart
+
+
+
@@ -148,10 +139,8 @@
ossrh
https://oss.sonatype.org/service/local/staging/deploy/maven2/
-
-
+
release-sign-artifacts
@@ -163,8 +152,11 @@
- 8E322ED0
+
+
+
+ 53BE126D
@@ -213,10 +205,10 @@
tag, deploy) to try: mvn release:prepare -DdryRun=true && mvn release:clean
to perform: mvn release:prepare release:perform Read http://nexus.sonatype.org/oss-repository-hosting.html#3
for instructions on releasing to this project's Sonatype repository -->
-
+
org.apache.maven.plugins
maven-release-plugin
- 2.5.2
+ 3.0.0-M1
forked-path
-Psonatype-oss-release
@@ -266,6 +258,7 @@
junit
junit
4.12
+ test