From 8840d5399897c4dc683fb2426530bd93467f077f Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 18:19:12 +0200 Subject: [PATCH 01/11] Maven Plugin Update Update maven plugin and contact information to match master pom.xml --- accessors-smart/pom.xml | 26 ++++++++------- json-smart-action/pom.xml | 24 +++++++------- json-smart/pom.xml | 45 ++++++++++++++------------ pom.xml | 67 ++++++++++++++++++--------------------- 4 files changed, 83 insertions(+), 79 deletions(-) diff --git a/accessors-smart/pom.xml b/accessors-smart/pom.xml index a1eb998e..71f96e46 100644 --- a/accessors-smart/pom.xml +++ b/accessors-smart/pom.xml @@ -8,17 +8,17 @@ Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls. bundle - http://www.minidev.net/ + https://urielch.github.io/ Chemouni Uriel - http://www.minidev.net/ + https://urielch.github.io/ uriel Uriel Chemouni uchemouni@gmail.com - GMT-7 + GMT+3 @@ -33,8 +33,8 @@ UTF-8 - 1.5 - 1.5 + 1.8 + 1.8 @@ -51,7 +51,7 @@ - + + + 53BE126D + @@ -196,8 +200,8 @@ 3.3 UTF-8 - 1.6 - 1.6 + ${maven.compiler.source} + ${maven.compiler.target} **/.svn/* **/.svn @@ -229,7 +233,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 2.10.3 + 2.10.4 false @@ -247,7 +251,7 @@ org.apache.felix maven-bundle-plugin - 3.3.0 + 3.5.1 true diff --git a/json-smart-action/pom.xml b/json-smart-action/pom.xml index e9ea3a3a..defb02be 100644 --- a/json-smart-action/pom.xml +++ b/json-smart-action/pom.xml @@ -7,22 +7,22 @@ 4.0.0 json-smart-action - JSON Small and Fast Parser + JSON-smart-action Small and Fast Parser JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language. bundle - http://www.minidev.net/ + https://urielch.github.io/ Chemouni Uriel - http://www.minidev.net/ + https://urielch.github.io/ uriel Uriel Chemouni uchemouni@gmail.com - GMT-7 + GMT+3 @@ -43,8 +43,8 @@ UTF-8 - 1.5 - 1.5 + 1.8 + 1.8 @@ -85,7 +85,9 @@ - 2C8DF6EC + + + 53BE126D @@ -190,8 +192,8 @@ 3.3 UTF-8 - 1.6 - 1.6 + ${maven.compiler.source} + ${maven.compiler.target} **/.svn/* **/.svn @@ -223,7 +225,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 2.10.3 + 2.10.4 false @@ -241,7 +243,7 @@ org.apache.felix maven-bundle-plugin - 3.0.0 + 3.5.1 true diff --git a/json-smart/pom.xml b/json-smart/pom.xml index 163e3ce0..729d9dc8 100644 --- a/json-smart/pom.xml +++ b/json-smart/pom.xml @@ -13,17 +13,17 @@ JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language. bundle - http://www.minidev.net/ + https://urielch.github.io/ Chemouni Uriel - http://www.minidev.net/ + https://urielch.github.io/ uriel Uriel Chemouni uchemouni@gmail.com - GMT-7 + GMT+3 @@ -44,8 +44,8 @@ UTF-8 - 1.5 - 1.5 + 1.8 + 1.8 @@ -87,7 +87,9 @@ - 2C8DF6EC + + + 53BE126D @@ -122,8 +124,10 @@ + org.apache.maven.plugins maven-javadoc-plugin + 3.2.0 attach-javadocs @@ -140,7 +144,7 @@ org.apache.maven.plugins maven-release-plugin - 2.5.2 + 2.5.3 forked-path -Psonatype-oss-release @@ -172,10 +176,10 @@ - + org.apache.maven.plugins maven-source-plugin - 2.4 + 3.2.1 bind-sources @@ -186,14 +190,14 @@ - + org.apache.maven.plugins maven-compiler-plugin - 3.3 + 3.8.1 UTF-8 - 1.6 - 1.6 + ${maven.compiler.source} + ${maven.compiler.target} **/.svn/* **/.svn @@ -201,19 +205,19 @@ - + org.apache.maven.plugins maven-resources-plugin - 2.7 + 3.2.0 UTF-8 - + org.apache.maven.plugins maven-jar-plugin - 2.6 + 3.2.0 **/.svn/* @@ -222,10 +226,10 @@ - + org.apache.maven.plugins maven-javadoc-plugin - 2.10.3 + 3.2.0 false @@ -241,9 +245,10 @@ + org.apache.felix maven-bundle-plugin - 3.3.0 + 5.1.2 true diff --git a/pom.xml b/pom.xml index f15528f6..d91dc2e3 100644 --- a/pom.xml +++ b/pom.xml @@ -7,11 +7,11 @@ Minidev super pom minidev common properties. pom - http://www.minidev.net/ + https://urielch.github.io/ Chemouni Uriel - http://www.minidev.net/ + https://urielch.github.io/ @@ -19,7 +19,7 @@ uriel Uriel Chemouni uchemouni@gmail.com - GMT-7 + GMT+3 @@ -36,16 +36,16 @@ UTF-8 - 1.5 - 1.5 + 1.8 + 1.8 - + org.apache.maven.plugins maven-source-plugin - 2.4 + 3.2.1 bind-sources @@ -56,46 +56,38 @@ - + org.apache.maven.plugins maven-compiler-plugin - 3.3 + 3.8.1 UTF-8 - 1.6 - 1.6 - - **/.svn/* - **/.svn - + ${maven.compiler.source} + ${maven.compiler.target} - + org.apache.maven.plugins maven-resources-plugin - 2.7 + 3.2.0 UTF-8 - + org.apache.maven.plugins maven-jar-plugin - 2.6 + 3.2.0 - - **/.svn/* - **/.svn - - + org.apache.maven.plugins maven-javadoc-plugin - 2.10.3 + 3.2.0 false @@ -114,7 +106,6 @@ - scm:git:https://github.com/netplex/json-smart-v2.git scm:git:https://github.com/netplex/json-smart-v2.git https://github.com/netplex/json-smart-v2 @@ -122,10 +113,10 @@ - + org.apache.maven.plugins maven-checkstyle-plugin - 2.17 + 3.1.2 google_checks.xml @@ -134,9 +125,9 @@ - accessors-smart - json-smart-action - json-smart + + + @@ -148,10 +139,8 @@ ossrh https://oss.sonatype.org/service/local/staging/deploy/maven2/ - - + release-sign-artifacts @@ -163,8 +152,11 @@ - 8E322ED0 + + + + 53BE126D @@ -213,10 +205,10 @@ tag, deploy) to try: mvn release:prepare -DdryRun=true && mvn release:clean to perform: mvn release:prepare release:perform Read http://nexus.sonatype.org/oss-repository-hosting.html#3 for instructions on releasing to this project's Sonatype repository --> - + org.apache.maven.plugins maven-release-plugin - 2.5.2 + 3.0.0-M1 forked-path -Psonatype-oss-release @@ -266,6 +258,7 @@ junit junit 4.12 + test From b3d52aa168e5a474c70a8e9ec69f823c2e7216ca Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 17:38:38 +0200 Subject: [PATCH 02/11] [#60][#62] Unchecked Exception in Parser Caught unchecked `NumberFormatException` during float parsing and converted into checked `ParseException`. Fixes #60 --- .../net/minidev/json/parser/JSONParserBase.java | 14 +++++++++----- .../java/net/minidev/json/test/TestFloat.java | 17 +++++++++++++++++ 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java index a5dd024c..f3b6614d 100644 --- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java +++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java @@ -139,11 +139,15 @@ public void checkLeadinZero() throws ParseException { protected Number extractFloat() throws ParseException { if (!acceptLeadinZero) checkLeadinZero(); - if (!useHiPrecisionFloat) - return Float.parseFloat(xs); - if (xs.length() > 18) // follow JSonIJ parsing method - return new BigDecimal(xs); - return Double.parseDouble(xs); + try { + if (!useHiPrecisionFloat) + return Float.parseFloat(xs); + if (xs.length() > 18) // follow JSonIJ parsing method + return new BigDecimal(xs); + return Double.parseDouble(xs); + } catch (NumberFormatException e) { + throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs); + } } /** diff --git a/json-smart/src/test/java/net/minidev/json/test/TestFloat.java b/json-smart/src/test/java/net/minidev/json/test/TestFloat.java index 5f1692bc..5387ddb6 100644 --- a/json-smart/src/test/java/net/minidev/json/test/TestFloat.java +++ b/json-smart/src/test/java/net/minidev/json/test/TestFloat.java @@ -4,6 +4,7 @@ import net.minidev.json.JSONObject; import net.minidev.json.JSONStyle; import net.minidev.json.parser.JSONParser; +import net.minidev.json.parser.ParseException; public class TestFloat extends TestCase { public static String[] TRUE_NUMBERS = new String[] { "1.0", "123.456", "1.0E1", "123.456E12", "1.0E+1", @@ -13,6 +14,8 @@ public class TestFloat extends TestCase { public static String[] FALSE_NUMBERS = new String[] { "1.0%", "123.45.6", "1.0E", "++123.456E12", "+-01", "1.0E+1.2" }; + public static String[] INVALID_NUMBERS = new String[] {"-.", "2e+", "[45e-"}; + public void testFloat() throws Exception { JSONParser p = new JSONParser(JSONParser.MODE_PERMISSIVE); for (String s : TRUE_NUMBERS) { @@ -35,6 +38,20 @@ public void testNonFloat() throws Exception { assertEquals("Should be re serialized as", correct, obj.toJSONString()); } } + + public void testInvalidNumbers() { + JSONParser p = new JSONParser(JSONParser.MODE_PERMISSIVE); + for (String s : INVALID_NUMBERS) { + String json = "{v:" + s + "}"; + try { + p.parse(json); + fail("Expected exception was not thrown."); + } catch (ParseException e) { + // everything is fine, we expected ParseException + } + } + } + /** * Error reported in issue 44 */ From eabd85e1a8213f75965dc2696144e71c245f7167 Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 18:22:08 +0200 Subject: [PATCH 03/11] Version bump to 2.3.1 --- accessors-smart/pom.xml | 2 +- json-smart-action/pom.xml | 2 +- json-smart/pom.xml | 4 ++-- pom.xml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/accessors-smart/pom.xml b/accessors-smart/pom.xml index 71f96e46..55c2af42 100644 --- a/accessors-smart/pom.xml +++ b/accessors-smart/pom.xml @@ -3,7 +3,7 @@ 4.0.0 net.minidev accessors-smart - 1.2-SNAPSHOT + 2.3.1 ASM based accessors helper used by json-smart Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls. diff --git a/json-smart-action/pom.xml b/json-smart-action/pom.xml index defb02be..c032627b 100644 --- a/json-smart-action/pom.xml +++ b/json-smart-action/pom.xml @@ -3,7 +3,7 @@ net.minidev minidev-parent - 2.3-SNAPSHOT + 2.3.1 4.0.0 json-smart-action diff --git a/json-smart/pom.xml b/json-smart/pom.xml index 729d9dc8..89c43c44 100644 --- a/json-smart/pom.xml +++ b/json-smart/pom.xml @@ -3,7 +3,7 @@ net.minidev minidev-parent - 2.3-SNAPSHOT + 2.3.1 4.0.0 @@ -56,7 +56,7 @@ net.minidev accessors-smart - 1.2-SNAPSHOT + 2.3.1 diff --git a/pom.xml b/pom.xml index d91dc2e3..9bf57162 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 net.minidev minidev-parent - 2.3-SNAPSHOT + 2.3.1 Minidev super pom minidev common properties. pom From 42e4e68f23ffd1c6a1f037a41c9c00f96695ca03 Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 18:41:15 +0200 Subject: [PATCH 04/11] Test improvments --- .../java/net/minidev/json/test/TestUtf8.java | 61 ++++++++++++++----- 1 file changed, 45 insertions(+), 16 deletions(-) diff --git a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java index b3576ef2..d9c44c44 100644 --- a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java +++ b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java @@ -2,53 +2,82 @@ import java.io.ByteArrayInputStream; import java.io.StringReader; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; import junit.framework.TestCase; import net.minidev.json.JSONObject; import net.minidev.json.JSONValue; public class TestUtf8 extends TestCase { - // Sinhalese language - static String[] nonLatinTexts = new String[] { "සිංහල ජාතිය", "日本語", "Русский", "فارسی", "한국어", "Հայերեն", "हिन्दी", "עברית", "中文", "አማርኛ", "മലയാളം", - "ܐܬܘܪܝܐ", "მარგალური" }; + + public static Map nonLatinTexts = new HashMap(); + { + nonLatinTexts.put("Sinhala", "සිංහල ජාතිය"); + nonLatinTexts.put("Japanese", "日本語"); + nonLatinTexts.put("Russian", "Русский"); + nonLatinTexts.put("Farsi", "فارسی"); + nonLatinTexts.put("Korean", "한국어"); + nonLatinTexts.put("Armenian", "Հայերեն"); + nonLatinTexts.put("Hindi", "हिन्दी"); + nonLatinTexts.put("Hebrew", "עברית"); + nonLatinTexts.put("Chinese", "中文"); + nonLatinTexts.put("Amharic", "አማርኛ"); + nonLatinTexts.put("Malayalam", "മലയാളം"); + nonLatinTexts.put("Assyrian Neo-Aramaic", "ܐܬܘܪܝܐ"); + nonLatinTexts.put("Georgian", "მარგალური"); + + } public void testString() throws Exception { - for (String nonLatinText : nonLatinTexts) { + for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { + String language = nonLatinEntry.getKey(); + String nonLatinText = nonLatinEntry.getValue(); + String s = "{\"key\":\"" + nonLatinText + "\"}"; JSONObject obj = (JSONObject) JSONValue.parse(s); - String v = (String) obj.get("key"); // result is incorrect - assertEquals(v, nonLatinText); + String actual = (String) obj.get("key"); + assertEquals("Parsing String " + language + " text", nonLatinText, actual); } } public void testReader() throws Exception { - for (String nonLatinText : nonLatinTexts) { + for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { + String language = nonLatinEntry.getKey(); + String nonLatinText = nonLatinEntry.getValue(); + String s = "{\"key\":\"" + nonLatinText + "\"}"; StringReader reader = new StringReader(s); JSONObject obj = (JSONObject) JSONValue.parse(reader); - - String v = (String) obj.get("key"); // result is incorrect - assertEquals(v, nonLatinText); + String actual = (String) obj.get("key"); + assertEquals("Parsing StringReader " + language + " text", nonLatinText, actual); } } public void testInputStream() throws Exception { - for (String nonLatinText : nonLatinTexts) { + for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { + String language = nonLatinEntry.getKey(); + String nonLatinText = nonLatinEntry.getValue(); + String s = "{\"key\":\"" + nonLatinText + "\"}"; ByteArrayInputStream bis = new ByteArrayInputStream(s.getBytes("utf8")); JSONObject obj = (JSONObject) JSONValue.parse(bis); - String v = (String) obj.get("key"); // result is incorrect - assertEquals(v, nonLatinText); + String actual = (String) obj.get("key"); + assertEquals("Parsing ByteArrayInputStream " + language + " text", nonLatinText, actual); } } public void testBytes() throws Exception { - for (String nonLatinText : nonLatinTexts) { + for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { + String language = nonLatinEntry.getKey(); + String nonLatinText = nonLatinEntry.getValue(); + String s = "{\"key\":\"" + nonLatinText + "\"}"; byte[] bs = s.getBytes("utf8"); JSONObject obj = (JSONObject) JSONValue.parse(bs); - String v = (String) obj.get("key"); // result is incorrect - assertEquals(v, nonLatinText); + String actual = (String) obj.get("key"); + assertEquals("Parsing bytes[] " + language + " text", nonLatinText, actual); } } } From 0af2cc1dc59c1ab09503206d6622660b3c29b31d Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 19:37:54 +0200 Subject: [PATCH 05/11] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index f289872a..b7cc0fbc 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,9 @@ # Changelog +### *V 2.3.1* +* Fixes [issue #60](https://github.com/netplex/json-smart-v2/issues/60) (CVE-2021-27568) + ### *V 2.3* * Patch 37 [issue 37](http://code.google.com/p/json-smart/issues/detail?id=37) * explicite support of char 127 [issue 18](http://code.google.com/p/json-smart/issues/detail?id=18) From 276114147fc118bc24c7fb92db88049aaef96a1d Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 21:21:26 +0200 Subject: [PATCH 06/11] Test improvments --- json-smart/src/test/java/net/minidev/json/test/TestUtf8.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java index d9c44c44..b6f7f887 100644 --- a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java +++ b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java @@ -13,7 +13,7 @@ public class TestUtf8 extends TestCase { public static Map nonLatinTexts = new HashMap(); - { + static { nonLatinTexts.put("Sinhala", "සිංහල ජාතිය"); nonLatinTexts.put("Japanese", "日本語"); nonLatinTexts.put("Russian", "Русский"); From 47a5b023896d2d9c6139d52e6800e2ac253a2332 Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 22:01:20 +0200 Subject: [PATCH 07/11] Test improvments Modified test to use Junit4's `Parameterized` runner and added an emoji test --- .../java/net/minidev/json/test/TestUtf8.java | 132 +++++++++--------- 1 file changed, 64 insertions(+), 68 deletions(-) diff --git a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java index b6f7f887..28fd984b 100644 --- a/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java +++ b/json-smart/src/test/java/net/minidev/json/test/TestUtf8.java @@ -1,83 +1,79 @@ package net.minidev.json.test; -import java.io.ByteArrayInputStream; -import java.io.StringReader; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; - import junit.framework.TestCase; import net.minidev.json.JSONObject; import net.minidev.json.JSONValue; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; -public class TestUtf8 extends TestCase { - - public static Map nonLatinTexts = new HashMap(); - static { - nonLatinTexts.put("Sinhala", "සිංහල ජාතිය"); - nonLatinTexts.put("Japanese", "日本語"); - nonLatinTexts.put("Russian", "Русский"); - nonLatinTexts.put("Farsi", "فارسی"); - nonLatinTexts.put("Korean", "한국어"); - nonLatinTexts.put("Armenian", "Հայերեն"); - nonLatinTexts.put("Hindi", "हिन्दी"); - nonLatinTexts.put("Hebrew", "עברית"); - nonLatinTexts.put("Chinese", "中文"); - nonLatinTexts.put("Amharic", "አማርኛ"); - nonLatinTexts.put("Malayalam", "മലയാളം"); - nonLatinTexts.put("Assyrian Neo-Aramaic", "ܐܬܘܪܝܐ"); - nonLatinTexts.put("Georgian", "მარგალური"); - - } +import java.io.ByteArrayInputStream; +import java.io.StringReader; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; - public void testString() throws Exception { - for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { - String language = nonLatinEntry.getKey(); - String nonLatinText = nonLatinEntry.getValue(); +@RunWith(Parameterized.class) +public class TestUtf8 extends TestCase { - String s = "{\"key\":\"" + nonLatinText + "\"}"; - JSONObject obj = (JSONObject) JSONValue.parse(s); - String actual = (String) obj.get("key"); - assertEquals("Parsing String " + language + " text", nonLatinText, actual); - } - } + @Parameterized.Parameter(0) + public String language; - public void testReader() throws Exception { - for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { - String language = nonLatinEntry.getKey(); - String nonLatinText = nonLatinEntry.getValue(); + @Parameterized.Parameter(1) + public String nonLatinText; - String s = "{\"key\":\"" + nonLatinText + "\"}"; - StringReader reader = new StringReader(s); - JSONObject obj = (JSONObject) JSONValue.parse(reader); - String actual = (String) obj.get("key"); - assertEquals("Parsing StringReader " + language + " text", nonLatinText, actual); - } - } + @Parameterized.Parameters(name = "{index}: language=''{0}'', text=''{1}''") + public static Collection nonLatinTexts() { + List nonLatinTexts = new ArrayList(); + nonLatinTexts.add(new Object[]{"Sinhala", "සිංහල ජාතිය"}); + nonLatinTexts.add(new Object[]{"Japanese", "日本語"}); + nonLatinTexts.add(new Object[]{"Russian", "Русский"}); + nonLatinTexts.add(new Object[]{"Farsi", "فارسی"}); + nonLatinTexts.add(new Object[]{"Korean", "한국어"}); + nonLatinTexts.add(new Object[]{"Armenian", "Հայերեն"}); + nonLatinTexts.add(new Object[]{"Hindi", "हिन्दी"}); + nonLatinTexts.add(new Object[]{"Hebrew", "עברית"}); + nonLatinTexts.add(new Object[]{"Chinese", "中文"}); + nonLatinTexts.add(new Object[]{"Amharic", "አማርኛ"}); + nonLatinTexts.add(new Object[]{"Malayalam", "മലയാളം"}); + nonLatinTexts.add(new Object[]{"Assyrian Neo-Aramaic", "ܐܬܘܪܝܐ"}); + nonLatinTexts.add(new Object[]{"Georgian", "მარგალური"}); + nonLatinTexts.add(new Object[]{"Emojis", "🐶🐱🐭🐹🐰🦊🐻🐼🐻‍❄🐨🐯🦁🐮🐷🐽🐸🐵🙈🙉🙊🐒🐔🐧🐦🐤🐣🐥🦆🦅🦉🦇🐺🐗🐴🦄🐝🐛"}); + return nonLatinTexts; + } - public void testInputStream() throws Exception { - for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { - String language = nonLatinEntry.getKey(); - String nonLatinText = nonLatinEntry.getValue(); + @Test + public void testString() { + String s = "{\"key\":\"" + nonLatinText + "\"}"; + JSONObject obj = (JSONObject) JSONValue.parse(s); + String actual = (String) obj.get("key"); + assertEquals("Parsing String " + language + " text", nonLatinText, actual); + } - String s = "{\"key\":\"" + nonLatinText + "\"}"; - ByteArrayInputStream bis = new ByteArrayInputStream(s.getBytes("utf8")); - JSONObject obj = (JSONObject) JSONValue.parse(bis); - String actual = (String) obj.get("key"); - assertEquals("Parsing ByteArrayInputStream " + language + " text", nonLatinText, actual); - } - } + @Test + public void testReader() { + String s = "{\"key\":\"" + nonLatinText + "\"}"; + StringReader reader = new StringReader(s); + JSONObject obj = (JSONObject) JSONValue.parse(reader); + String actual = (String) obj.get("key"); + assertEquals("Parsing StringReader " + language + " text", nonLatinText, actual); + } - public void testBytes() throws Exception { - for (Map.Entry nonLatinEntry : nonLatinTexts.entrySet()) { - String language = nonLatinEntry.getKey(); - String nonLatinText = nonLatinEntry.getValue(); + @Test + public void testInputStream() throws Exception { + String s = "{\"key\":\"" + nonLatinText + "\"}"; + ByteArrayInputStream bis = new ByteArrayInputStream(s.getBytes("utf8")); + JSONObject obj = (JSONObject) JSONValue.parse(bis); + String actual = (String) obj.get("key"); + assertEquals("Parsing ByteArrayInputStream " + language + " text", nonLatinText, actual); + } - String s = "{\"key\":\"" + nonLatinText + "\"}"; - byte[] bs = s.getBytes("utf8"); - JSONObject obj = (JSONObject) JSONValue.parse(bs); - String actual = (String) obj.get("key"); - assertEquals("Parsing bytes[] " + language + " text", nonLatinText, actual); - } - } + @Test + public void testBytes() throws Exception { + String s = "{\"key\":\"" + nonLatinText + "\"}"; + byte[] bs = s.getBytes("utf8"); + JSONObject obj = (JSONObject) JSONValue.parse(bs); + String actual = (String) obj.get("key"); + assertEquals("Parsing bytes[] " + language + " text", nonLatinText, actual); + } } From 340faf5590898f22ba40533226f6e37d355fdb5b Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 22:19:33 +0200 Subject: [PATCH 08/11] [#73] Avoid `String` creation using system default charset Used `StandardCharsets.UTF_8` to create `String` in `JSONParserByteArray` to avoid dependency on system's default charset --- .../java/net/minidev/json/parser/JSONParserByteArray.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java index 80f587e2..17e590f3 100644 --- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java +++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java @@ -19,6 +19,9 @@ import net.minidev.json.JSONValue; import net.minidev.json.writer.JsonReaderI; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; + /** * Parser for JSON text. Please note that JSONParser is NOT thread-safe. * @@ -59,7 +62,7 @@ public T parse(byte[] in, JsonReaderI mapper) throws ParseException { } protected void extractString(int beginIndex, int endIndex) { - xs = new String(in, beginIndex, endIndex - beginIndex); + xs = new String(in, beginIndex, endIndex - beginIndex, StandardCharsets.UTF_8); } protected void extractStringTrim(int start, int stop) { @@ -71,7 +74,7 @@ protected void extractStringTrim(int start, int stop) { while ((start < stop) && (val[stop - 1] <= ' ')) { stop--; } - xs = new String(in, start, stop - start); + xs = new String(in, start, stop - start, StandardCharsets.UTF_8); } protected int indexOf(char c, int pos) { From 306617da53930a9aad26a92dc84613e2409f952b Mon Sep 17 00:00:00 2001 From: dpeger Date: Fri, 23 Apr 2021 22:32:35 +0200 Subject: [PATCH 09/11] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b7cc0fbc..d6b6159d 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ ### *V 2.3.1* * Fixes [issue #60](https://github.com/netplex/json-smart-v2/issues/60) (CVE-2021-27568) +* Fixes [issue #73](https://github.com/netplex/json-smart-v2/issues/73) ### *V 2.3* * Patch 37 [issue 37](http://code.google.com/p/json-smart/issues/detail?id=37) From dfb1ab7d70d601c69a0c3f4258a4a8514e3cec14 Mon Sep 17 00:00:00 2001 From: dpeger Date: Mon, 26 Apr 2021 09:42:13 +0200 Subject: [PATCH 10/11] Revert "Update README.md" This reverts commit 306617da53930a9aad26a92dc84613e2409f952b. --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d6b6159d..b7cc0fbc 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ ### *V 2.3.1* * Fixes [issue #60](https://github.com/netplex/json-smart-v2/issues/60) (CVE-2021-27568) -* Fixes [issue #73](https://github.com/netplex/json-smart-v2/issues/73) ### *V 2.3* * Patch 37 [issue 37](http://code.google.com/p/json-smart/issues/detail?id=37) From d08ad4f4fb12f909cd210e07a9493dea0096b774 Mon Sep 17 00:00:00 2001 From: dpeger Date: Mon, 26 Apr 2021 09:42:16 +0200 Subject: [PATCH 11/11] Revert "[#73] Avoid `String` creation using system default charset" This reverts commit 340faf5590898f22ba40533226f6e37d355fdb5b. --- .../java/net/minidev/json/parser/JSONParserByteArray.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java index 17e590f3..80f587e2 100644 --- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java +++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserByteArray.java @@ -19,9 +19,6 @@ import net.minidev.json.JSONValue; import net.minidev.json.writer.JsonReaderI; -import java.nio.charset.Charset; -import java.nio.charset.StandardCharsets; - /** * Parser for JSON text. Please note that JSONParser is NOT thread-safe. * @@ -62,7 +59,7 @@ public T parse(byte[] in, JsonReaderI mapper) throws ParseException { } protected void extractString(int beginIndex, int endIndex) { - xs = new String(in, beginIndex, endIndex - beginIndex, StandardCharsets.UTF_8); + xs = new String(in, beginIndex, endIndex - beginIndex); } protected void extractStringTrim(int start, int stop) { @@ -74,7 +71,7 @@ protected void extractStringTrim(int start, int stop) { while ((start < stop) && (val[stop - 1] <= ' ')) { stop--; } - xs = new String(in, start, stop - start, StandardCharsets.UTF_8); + xs = new String(in, start, stop - start); } protected int indexOf(char c, int pos) {