fastjson parseArray(...)未检查格式，导致非法json也能被解析

tct7dpnv 于 2021-11-27 发布在 Java

关注(0)|答案(1)|浏览(423)

bug如下，非法json串，也能被正常解析，未报错

public static void main(String[] args) {
    String errorJson = "[{\"a\":1}{\"b\":2}null undefined 676]";
    System.out.println(JSONObject.parseArray(errorJson)); // [{"a":1},{"b":2},null,null,676]
}

fastjson

来源：https://github.com/alibaba/fastjson/issues/3950

1条答案

按热度按时间

i7uaboj41#

找到了一个关联的测试用例，使用的非法json array(数字中间有空格)，为何会默认允许呢，是出于什么目的吗? @wenshao

fastjson/src/test/java/com/alibaba/json/bvt/parser/DefaultExtJSONParserTest_4.java

Lines 17 to 33 in 8697461

| | publicvoidtest_0() throwsException { |
| | List<?> res =Arrays.asList(1, 2, 3); |
| | String[] tests = { "[1,2,3]", "[1,,2,3]", "[1,2,,,3]", "[1 2,,,3]", "[1 2 3]", "[1, 2, 3,,]", "[,,1, 2, 3,,]", }; |
| | |
| | for (String t : tests) { |
| | DefaultJSONParser ext =newDefaultJSONParser(t); |
| | ext.config(Feature.AllowArbitraryCommas, true); |
| | List extRes = ext.parseArray(Object.class); |
| | Assert.assertEquals(res, extRes); |
| | |
| | DefaultJSONParser basic =newDefaultJSONParser(t); |
| | basic.config(Feature.AllowArbitraryCommas, true); |
| | List basicRes =newArrayList(); |
| | basic.parseArray(basicRes); |
| | Assert.assertEquals(res, basicRes); |
| | } |
| | } |

赞(0）回复(0）举报 2021-11-27

我来回答

fastjson parseArray(...)未检查格式，导致非法json也能被解析

1条答案

相关问题

热门标签

最新问答