You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/11/09 12:42:36 UTC
[tomcat] branch 10.1.x updated: Avoid invalid JSON in JSONErrorReportValve output
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 1f50bff8da Avoid invalid JSON in JSONErrorReportValve output
1f50bff8da is described below
commit 1f50bff8daabb48c5f15398689988f26aac6ec56
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 9 12:39:15 2022 +0000
Avoid invalid JSON in JSONErrorReportValve output
---
.../catalina/valves/JsonErrorReportValve.java | 7 +-
java/org/apache/tomcat/util/json/JSONFilter.java | 61 ++++++++++++++++
.../apache/tomcat/util/json/TestJSONFilter.java | 82 ++++++++++++++++++++++
webapps/docs/changelog.xml | 5 ++
4 files changed, 152 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/valves/JsonErrorReportValve.java b/java/org/apache/catalina/valves/JsonErrorReportValve.java
index a9bb895585..1e7719fb51 100644
--- a/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++ b/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extends ErrorReportValve {
}
}
String jsonReport = "{\n" +
- " \"type\": \"" + type + "\",\n" +
- " \"message\": \"" + message + "\",\n" +
- " \"description\": \"" + description + "\"\n" +
+ " \"type\": \"" + JSONFilter.escape(type) + "\",\n" +
+ " \"message\": \"" + JSONFilter.escape(message) + "\",\n" +
+ " \"description\": \"" + JSONFilter.escape(description) + "\"\n" +
"}";
try {
try {
diff --git a/java/org/apache/tomcat/util/json/JSONFilter.java b/java/org/apache/tomcat/util/json/JSONFilter.java
new file mode 100644
index 0000000000..cb255dc41b
--- /dev/null
+++ b/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be included in a JSON document.
+ * Escaping is based on the definition of JSON found in
+ * <a href="https://www.rfc-editor.org/rfc/rfc8259.html">RFC 8259</a>.
+ */
+public class JSONFilter {
+
+ private JSONFilter() {
+ // Utility class. Hide the default constructor.
+ }
+
+ public static String escape(String input) {
+ /*
+ * While any character MAY be escaped, only U+0000 to U+001F (control
+ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
+ * MUST be escaped.
+ */
+ char[] chars = input.toCharArray();
+ StringBuffer escaped = null;
+ int lastUnescapedStart = 0;
+ for (int i = 0; i < chars.length; i++) {
+ if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
+ if (escaped == null) {
+ escaped = new StringBuffer(chars.length + 20);
+ }
+ if (lastUnescapedStart < i) {
+ escaped.append(input.subSequence(lastUnescapedStart, i));
+ }
+ lastUnescapedStart = i + 1;
+ escaped.append("\\u");
+ escaped.append(String.format("%04X", Integer.valueOf(chars[i])));
+ }
+ }
+ if (escaped == null) {
+ return input;
+ } else {
+ if (lastUnescapedStart < chars.length) {
+ escaped.append(input.subSequence(lastUnescapedStart, chars.length));
+ }
+ return escaped.toString();
+ }
+ }
+}
diff --git a/test/org/apache/tomcat/util/json/TestJSONFilter.java b/test/org/apache/tomcat/util/json/TestJSONFilter.java
new file mode 100644
index 0000000000..0e06433735
--- /dev/null
+++ b/test/org/apache/tomcat/util/json/TestJSONFilter.java
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+
+
+@RunWith(Parameterized.class)
+public class TestJSONFilter {
+
+ @Parameterized.Parameters(name = "{index}: input[{0}], output[{1}]")
+ public static Collection<Object[]> parameters() {
+ Collection<Object[]> parameterSets = new ArrayList<>();
+
+ // Empty
+ parameterSets.add(new String[] { "", "" });
+
+ // Must escape
+ parameterSets.add(new String[] { "\"", "\\u0022" });
+ parameterSets.add(new String[] { "\\", "\\u005C" });
+ // Sample of controls
+ parameterSets.add(new String[] { "\t", "\\u0009" });
+ parameterSets.add(new String[] { "\n", "\\u000A" });
+ parameterSets.add(new String[] { "\r", "\\u000D" });
+
+ // No escape
+ parameterSets.add(new String[] { "aaa", "aaa" });
+
+ // Start
+ parameterSets.add(new String[] { "\naaa", "\\u000Aaaa" });
+ parameterSets.add(new String[] { "\n\naaa", "\\u000A\\u000Aaaa" });
+
+ // Middle
+ parameterSets.add(new String[] { "aaa\naaa", "aaa\\u000Aaaa" });
+ parameterSets.add(new String[] { "aaa\n\naaa", "aaa\\u000A\\u000Aaaa" });
+
+ // End
+ parameterSets.add(new String[] { "aaa\n", "aaa\\u000A" });
+ parameterSets.add(new String[] { "aaa\n\n", "aaa\\u000A\\u000A" });
+
+ // Start, middle and end
+ parameterSets.add(new String[] { "\naaa\naaa\n", "\\u000Aaaa\\u000Aaaa\\u000A" });
+ parameterSets.add(new String[] { "\n\naaa\n\naaa\n\n", "\\u000A\\u000Aaaa\\u000A\\u000Aaaa\\u000A\\u000A" });
+
+ // Multiple
+ parameterSets.add(new String[] { "\n\n", "\\u000A\\u000A" });
+
+ return parameterSets;
+ }
+
+ @Parameter(0)
+ public String input;
+
+ @Parameter(1)
+ public String output;
+
+ @Test
+ public void testStringEscaping() {
+ Assert.assertEquals(output, JSONFilter.escape(input));;
+ }
+}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9df5bbcaab..03622bdf90 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,11 @@
<bug>66338</bug>: Fix a regression that caused a nuance in refactoring
for <code>ErrorReportValve</code>. (lihan)
</fix>
+ <fix>
+ Escape values used to construct output for the
+ <code>JsonErrorReportValve</code> to ensure that it always outputs valid
+ JSON. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org