cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boris Capitanu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-7287) Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in value
Date Fri, 17 Mar 2017 01:43:41 GMT
Boris Capitanu created CXF-7287:
-----------------------------------

             Summary: Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are
used in value
                 Key: CXF-7287
                 URL: https://issues.apache.org/jira/browse/CXF-7287
             Project: CXF
          Issue Type: Bug
    Affects Versions: 3.1.7
         Environment: OSX, Tomcat8, Java8
            Reporter: Boris Capitanu


*Background*:
Discovered when using JWT tokens. In org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer
there is a line of code that reads:
{code}
JwtClaims theClaims = new JwtClaims(getReader().fromJson(getDecodedJwsPayload()));
{code}

If the method "getDecodedJwsPayload()" returns a JSON string like:
{noformat}
"\"sub\":\"admin\",\"roles\":\"admin,user\",\"iss\":\"auth0\""
{noformat}

then the "fromJson" method returns an incorrect Map.

*The Bug*
The problem occurs in org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter (defined in
cxf-rt-rs-json-basic-3.1.7.jar) in the _readJsonObjectAsSettable_ method. Specifically, line
188 reads:
{code}
int commaIndex = getCommaIndex(json, sepIndex + j);
{code}
which will cause the wrong comma index to be found for the JSON key "roles" in my example
above (apparently commaIndex is used to find the "next json key" position in the json string).
 

I'm also thinking that it's possible that line 166 could be a problem as well, if a JSON value
would ever contain an (escaped) quote character.

This JSON parsing seems fragile... I wonder why a "standard" JSON library wasn't used (perhaps
just to not add an additional dependency?)

Proper parsing of commas in JSON values is important for JWT purposes as the constructor of
_org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext_ expects role claims to be
comma-separated.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message