search

json-iterator / java

jsoniter (json-iterator) is fast and flexible JSON parser available in Java and Go
http://jsoniter.com/
MIT License
1.51k stars 519 forks source link

Null parsing accepts bad input #357

Open mtdowling opened 2 months ago

mtdowling commented 2 months ago

Various places in this library that parse null will see 'n' and then skip the next three characters without validating that the next three characters are 'u' 'l' 'l'. So this is parsed as null: nope.

See for example https://github.com/json-iterator/java/blob/master/src/main/java/com/jsoniter/IterImplObject.java#L10-L12

    public static final String readObject(JsonIterator iter) throws IOException {
        byte c = IterImpl.nextToken(iter);
        switch (c) {
            case 'n':
                IterImpl.skipFixedBytes(iter, 3);
                return null;
TDila commented 1 month ago

Hello, I'm new to open-source contribution and I would like to help. Are you working on this? if not, can you please assign this to me?

mtdowling commented 1 month ago

I’m not working on this, please feel free.

TDila commented 1 month ago

@mtdowling thanks 👍

bodasiddartha commented 2 weeks ago

@mtdowling I'm new to open source and I would love to give it a try(even if it does not help).