cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-7287) Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in value
Date Sun, 19 Mar 2017 22:24:42 GMT

    [ https://issues.apache.org/jira/browse/CXF-7287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15931998#comment-15931998
] 

Sergey Beryozkin commented on CXF-7287:
---------------------------------------

At some point JsonMapObjectReaderWriter was, as far as I recall, an implementation of the
interface which was passed to various JOSE consumers,  but after many iterations I decided
to simplify the API and simply let the basic parser be used - it allows for a bit of the extra
control, for example, trace the duplications of the properties which must not be duplicated,
etc.

I'll start considering reintroducing the interface (after fixing this particular issue) so
that the alternative JSON parsers can be wrapped if needed. 

 

> Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in value
> ----------------------------------------------------------------------------------
>
>                 Key: CXF-7287
>                 URL: https://issues.apache.org/jira/browse/CXF-7287
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 3.1.10
>         Environment: OSX, Tomcat8, Java8
>            Reporter: Boris Capitanu
>
> *Background*:
> Discovered when using JWT tokens. In org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer
there is a line of code that reads:
> {code}
> JwtClaims theClaims = new JwtClaims(getReader().fromJson(getDecodedJwsPayload()));
> {code}
> If the method "getDecodedJwsPayload()" returns a JSON string like:
> {noformat}
> "\"sub\":\"admin\",\"roles\":\"admin,user\",\"iss\":\"auth0\""
> {noformat}
> then the "fromJson" method returns an incorrect Map.
> *The Bug*
> The problem occurs in org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter (defined
in cxf-rt-rs-json-basic-3.1.10.jar) in the _readJsonObjectAsSettable_ method. Specifically,
line 188 reads:
> {code}
> int commaIndex = getCommaIndex(json, sepIndex + j);
> {code}
> which will cause the wrong comma index to be found for the JSON key "roles" in my example
above (apparently commaIndex is used to find the "next json key" position in the json string).
 
> I'm also thinking that it's possible that line 166 could be a problem as well, if a JSON
value would ever contain an (escaped) quote character.
> This JSON parsing seems fragile... I wonder why a "standard" JSON library wasn't used
(perhaps just to not add an additional dependency?)
> Proper parsing of commas in JSON values is important for JWT purposes as the constructor
of _org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext_ expects role claims to
be comma-separated.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message