[Git][java-team/libjettison-java][upstream] New upstream version 1.5.3
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sat Dec 31 10:28:27 GMT 2022
Markus Koschany pushed to branch upstream at Debian Java Maintainers / libjettison-java
Commits:
b14a2249 by Markus Koschany at 2022-12-31T11:13:14+01:00
New upstream version 1.5.3
- - - - -
6 changed files:
- pom.xml
- src/main/java/org/codehaus/jettison/json/JSONArray.java
- src/main/java/org/codehaus/jettison/json/JSONObject.java
- src/main/java/org/codehaus/jettison/json/JSONTokener.java
- src/test/java/org/codehaus/jettison/json/JSONArrayTest.java
- src/test/java/org/codehaus/jettison/json/JSONObjectTest.java
Changes:
=====================================
pom.xml
=====================================
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
- <version>1.5.1</version>
+ <version>1.5.3</version>
<packaging>bundle</packaging>
<name>Jettison</name>
<description>A StAX implementation for JSON.</description>
@@ -23,7 +23,7 @@
<dependency>
<groupId>com.fasterxml.woodstox</groupId>
<artifactId>woodstox-core</artifactId>
- <version>6.2.8</version>
+ <version>6.4.0</version>
<scope>test</scope>
</dependency>
</dependencies>
@@ -31,7 +31,7 @@
<connection>scm:git:http://github.com/jettison-json/jettison.git</connection>
<developerConnection>scm:git:https://github.com/jettison-json/jettison.git</developerConnection>
<url>https://github.com/jettison-json/jettison</url>
- <tag>jettison-1.5.1</tag>
+ <tag>jettison-1.5.3</tag>
</scm>
<distributionManagement>
<snapshotRepository>
=====================================
src/main/java/org/codehaus/jettison/json/JSONArray.java
=====================================
@@ -179,8 +179,9 @@ public class JSONArray implements Serializable {
/**
* Construct a JSONArray from a Collection.
* @param collection A Collection.
+ * @throws JSONException If there is a syntax error.
*/
- public JSONArray(Collection collection) {
+ public JSONArray(Collection collection) throws JSONException {
this.myArrayList = (collection == null) ?
new ArrayList() :
new ArrayList(collection);
@@ -580,8 +581,9 @@ public class JSONArray implements Serializable {
* JSONArray which is produced from a Collection.
* @param value A Collection value.
* @return this.
+ * @throws JSONException If there is a syntax error.
*/
- public JSONArray put(Collection value) {
+ public JSONArray put(Collection value) throws JSONException {
put(new JSONArray(value));
return this;
}
@@ -631,8 +633,9 @@ public class JSONArray implements Serializable {
* JSONObject which is produced from a Map.
* @param value A Map value.
* @return this.
+ * @throws JSONException If there is a syntax error.
*/
- public JSONArray put(Map value) {
+ public JSONArray put(Map value) throws JSONException {
put(new JSONObject(value));
return this;
}
=====================================
src/main/java/org/codehaus/jettison/json/JSONObject.java
=====================================
@@ -84,6 +84,13 @@ import org.codehaus.jettison.JSONSequenceTooLargeException;
*/
public class JSONObject implements Serializable {
+ /**
+ * The default recursion depth limit to prevent stack overflow issues on deeply nested structures.
+ */
+ final static int DEFAULT_RECURSION_DEPTH_LIMIT = 500;
+
+ static int RECURSION_DEPTH_LIMIT = DEFAULT_RECURSION_DEPTH_LIMIT;
+
/**
* JSONObject.NULL is equivalent to the value that JavaScript calls null,
* whilst Java's null is equivalent to the value that JavaScript calls
@@ -213,6 +220,8 @@ public class JSONObject implements Serializable {
throw x.syntaxError("A JSONObject text must end with '}'");
case '}':
return;
+ case '{':
+ throw x.syntaxError("Expected a key");
default:
x.back();
key = x.nextValue().toString();
@@ -257,8 +266,17 @@ public class JSONObject implements Serializable {
* Construct a JSONObject from a Map.
* @param map A map object that can be used to initialize the contents of
* the JSONObject.
+ * @throws JSONException If there is a syntax error.
*/
- public JSONObject(Map map) {
+ public JSONObject(Map map) throws JSONException {
+ this(map, 0);
+ }
+
+ private JSONObject(Map map, int recursionDepth) throws JSONException {
+
+ if (recursionDepth > RECURSION_DEPTH_LIMIT) {
+ throw new JSONException("JSONObject has reached recursion depth limit of " + RECURSION_DEPTH_LIMIT);
+ }
this.myHashMap = (map == null) ?
new LinkedHashMap<Object,Object>() :
new LinkedHashMap<Object,Object>(map);
@@ -268,8 +286,8 @@ public class JSONObject implements Serializable {
if (v instanceof Collection) {
myHashMap.put(entry.getKey(), new JSONArray((Collection) v));
}
- if (v instanceof Map) {
- myHashMap.put(entry.getKey(), new JSONObject((Map) v));
+ if (v instanceof Map && v != map) {
+ myHashMap.put(entry.getKey(), new JSONObject((Map) v, recursionDepth + 1));
}
}
}
@@ -1025,9 +1043,10 @@ public class JSONObject implements Serializable {
c = string.charAt(i);
switch (c) {
case '\\':
+ sb.append("\\\\");
+ break;
case '"':
- sb.append('\\');
- sb.append(c);
+ sb.append("\\\"");
break;
case '/':
if (escapeForwardSlashAlways || i > 0 && string.charAt(i - 1) == '<') {
@@ -1319,6 +1338,43 @@ public class JSONObject implements Serializable {
return quote(value.toString(), escapeForwardSlash);
}
+ /**
+ * Set the new recursion depth limit to prevent stack overflow issues on deeply nested structures. The default
+ * value is 500
+ * @param newRecursionDepthLimit the new recursion depth limit to set
+ */
+ public static void setGlobalRecursionDepthLimit(int newRecursionDepthLimit) {
+ RECURSION_DEPTH_LIMIT = newRecursionDepthLimit;
+ }
+
+ /**
+ * Set the new recursion depth limit to prevent stack overflow issues on deeply nested structures. The default
+ * value is 500
+ * @param newRecursionDepthLimit the new recursion depth limit to set
+ */
+ @Deprecated
+ public void setRecursionDepthLimit(int newRecursionDepthLimit) {
+ RECURSION_DEPTH_LIMIT = newRecursionDepthLimit;
+ }
+
+ /**
+ * Get the new recursion depth limit to prevent stack overflow issues on deeply nested structures. The default
+ * value is 500
+ * @return the recursion depth limit
+ */
+ public static int getGlobalRecursionDepthLimit() {
+ return RECURSION_DEPTH_LIMIT;
+ }
+
+ /**
+ * Get the new recursion depth limit to prevent stack overflow issues on deeply nested structures. The default
+ * value is 500
+ * @return the recursion depth limit
+ */
+ @Deprecated
+ public int getRecursionDepthLimit() {
+ return RECURSION_DEPTH_LIMIT;
+ }
/**
* Write the contents of the JSONObject as JSON text to a writer.
@@ -1396,4 +1452,5 @@ public class JSONObject implements Serializable {
public Map toMap() {
return Collections.unmodifiableMap(myHashMap);
}
+
}
=====================================
src/main/java/org/codehaus/jettison/json/JSONTokener.java
=====================================
@@ -44,7 +44,9 @@ public class JSONTokener {
private int threshold = -1;
-
+
+ private int recursionDepth;
+
/**
* Construct a JSONTokener from a string.
*
@@ -54,7 +56,7 @@ public class JSONTokener {
this.myIndex = 0;
this.mySource = s.trim();
}
-
+
/**
* Construct a JSONTokener from a string.
*
@@ -423,11 +425,24 @@ public class JSONTokener {
}
protected JSONObject newJSONObject() throws JSONException {
- return new JSONObject(this);
+ checkRecursionDepth();
+ JSONObject object = new JSONObject(this);
+ recursionDepth--;
+ return object;
}
-
+
protected JSONArray newJSONArray() throws JSONException {
- return new JSONArray(this);
+ checkRecursionDepth();
+ JSONArray array = new JSONArray(this);
+ recursionDepth--;
+ return array;
+ }
+
+ private void checkRecursionDepth() throws JSONException {
+ recursionDepth++;
+ if (recursionDepth > JSONObject.RECURSION_DEPTH_LIMIT) {
+ throw new JSONException("JSONTokener has reached recursion depth limit of " + JSONObject.RECURSION_DEPTH_LIMIT);
+ }
}
/**
=====================================
src/test/java/org/codehaus/jettison/json/JSONArrayTest.java
=====================================
@@ -63,4 +63,10 @@ public class JSONArrayTest extends TestCase {
// expected
}
}
+
+ public void testIssue52() throws JSONException {
+ JSONObject.setGlobalRecursionDepthLimit(10);
+ new JSONArray("[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {a:10}]");
+ }
+
}
=====================================
src/test/java/org/codehaus/jettison/json/JSONObjectTest.java
=====================================
@@ -2,7 +2,13 @@ package org.codehaus.jettison.json;
import junit.framework.TestCase;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
public class JSONObjectTest extends TestCase {
+
public void testEquals() throws Exception {
JSONObject aJsonObj = new JSONObject("{\"x\":\"y\"}");
JSONObject bJsonObj = new JSONObject("{\"x\":\"y\"}");
@@ -81,7 +87,11 @@ public class JSONObjectTest extends TestCase {
public void testSlashEscapingTurnedOnByDefault() throws Exception {
JSONObject obj = new JSONObject();
obj.put("key", "http://example.com/foo");
- assertEquals(obj.toString(), "{\"key\":\"http:\\/\\/example.com\\/foo\"}");
+ assertEquals("{\"key\":\"http:\\/\\/example.com\\/foo\"}", obj.toString());
+
+ obj = new JSONObject();
+ obj.put("key", "\\\\");
+ assertEquals("{\"key\":\"\\\\\\\\\"}", obj.toString());
}
public void testForwardSlashEscapingModifiedfBySetter() throws Exception {
@@ -148,4 +158,57 @@ public class JSONObjectTest extends TestCase {
}
}
+ // https://github.com/jettison-json/jettison/issues/52
+ public void testIssue52() throws Exception {
+ Map<String,Object> map = new HashMap<>();
+ map.put("t",map);
+ new JSONObject(map);
+ }
+
+ // https://github.com/jettison-json/jettison/issues/52
+ public void testIssue52Recursive() throws Exception {
+ try {
+ Map<String, Object> map = new HashMap<>();
+ Map<String, Object> map2 = new HashMap<>();
+ map.put("t", map2);
+ map2.put("t", map);
+ new JSONObject(map);
+ fail("Failure expected");
+ } catch (JSONException e) {
+ assertTrue(e.getMessage().contains("JSONObject has reached recursion depth limit"));
+ // expected
+ }
+ }
+
+ // https://github.com/jettison-json/jettison/issues/45
+ public void testFuzzerTestCase() throws Exception, JSONException {
+ try {
+ new JSONObject("{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{\"G\":[30018084,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,38,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,0]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,340282366920938463463374607431768211458,6,1,1]}:[32768,1,1,6,1,0]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,340282366920938463463374607431768211458,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,9 68,1,127,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,6,32768,1,1,6,1,9223372036854775807]}:[3,1,6,32768,1,1,6,1,1]}:[3,1,10,32768,1,1,6,1,1]}");
+ fail("Failure expected");
+ } catch (JSONException ex) {
+ // expected
+ assertTrue(ex.getMessage().contains("Expected a key"));
+ }
+ }
+
+ public void testFuzzerTestCase2() throws Exception {
+ StringBuilder sb = new StringBuilder();
+ for (int i = 0; i < 100000; i++) {
+ sb.append("{\"key\":");
+ }
+ try {
+ new JSONObject(sb.toString());
+ fail("Failure expected");
+ } catch (JSONException e) {
+ assertTrue(e.getMessage().contains("JSONTokener has reached recursion depth limit"));
+ // expected
+ }
+ }
+
+ public void testIssue58() throws JSONException {
+ Map<String, Object> map = new HashMap<>();
+ map.put("request", "{\"exclude\":[\".\",\"?\",\"+\",\"*\",\"|\",\"{\",\"}\",\"[\",\"]\",\"(\",\")\",\"\\\"\",\"\\\\\",\"#\",\"@\",\"&\",\"<\",\">\",\"~\"]}");
+ JSONObject jsonObject = new JSONObject(map);
+ JSONObject jsonObject1 = new JSONObject(jsonObject.toString());
+ }
}
View it on GitLab: https://salsa.debian.org/java-team/libjettison-java/-/commit/b14a2249a34a1d95aa3f3635b01ff87cc211455a
--
View it on GitLab: https://salsa.debian.org/java-team/libjettison-java/-/commit/b14a2249a34a1d95aa3f3635b01ff87cc211455a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20221231/33d5b813/attachment.htm>
More information about the pkg-java-commits
mailing list