fix(stleary#887): double array breaking JSONTokener.nextValue

change(stleary#887): input validation
rikkarth · Apr 21, 2024 · 3dcd5b2 · 3dcd5b2
1 parent ce074e9
commit 3dcd5b2
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 20 deletions.
diff --git a/src/main/java/org/json/JSONArray.java b/src/main/java/org/json/JSONArray.java
@@ -133,6 +133,17 @@ public JSONArray(JSONTokener x, JSONParserConfiguration jsonParserConfiguration)
                     case ']':
                         if (jsonParserConfiguration.isStrictMode()) {
                             nextChar = x.nextClean();
+
+                            if (nextChar == ','){
+                                x.back();
+                                return;
+                            }
+
+                            if (nextChar == ']'){
+                                x.back();
+                                return;
+                            }
+
                             if (nextChar != 0) {
                                 throw x.syntaxError("invalid character found after end of array: " + nextChar);
                             }
@@ -161,27 +172,14 @@ private void validateInput(JSONTokener x) {
         char cursor = x.getPrevious();
 
         boolean isEndOfArray = cursor == ']';
-        boolean nextCharacterIsNotEoF = x.nextClean() != 0;
+        char nextChar = x.nextClean();
+        boolean nextCharacterIsNotEoF = nextChar != 0;
 
         if (isEndOfArray && nextCharacterIsNotEoF) {
-            String completeInput = collectCompleteInput(x);
-            throw new JSONException("Provided Array is not compliant with strict mode guidelines: " + completeInput);
+            throw x.syntaxError(String.format("Provided Array is not compliant with strict mode guidelines: '%s'", nextChar));
         }
     }
 
-    private String collectCompleteInput(JSONTokener x) {
-        String nonCompliantStringAfterArray = collectNonCompliantStringAfterArray(x);
-        return myArrayList + nonCompliantStringAfterArray;
-    }
-
-    private String collectNonCompliantStringAfterArray(JSONTokener x) {
-        StringBuilder sb = new StringBuilder().append(x.getPrevious());
-        while(x.nextClean() != 0){
-            sb.append(x.getPrevious());
-        }
-        return sb.toString();
-    }
-
     /**
      * Construct a JSONArray from a source JSON text.
      *

diff --git a/src/main/java/org/json/JSONTokener.java b/src/main/java/org/json/JSONTokener.java
@@ -440,7 +440,7 @@ public Object nextValue(JSONParserConfiguration jsonParserConfiguration) throws
             case '[':
                 this.back();
                 try {
-                    return new JSONArray(this);
+                    return new JSONArray(this, jsonParserConfiguration);
                 } catch (StackOverflowError e) {
                     throw new JSONException("JSON Array or Object depth too large to process.", e);
                 }
@@ -516,6 +516,10 @@ private Object parsedUnquotedText(char c, boolean strictMode) {
 
         String string = sb.toString().trim();
 
+        if (string.isEmpty()) {
+            throw this.syntaxError("Missing value");
+        }
+
         if (strictMode) {
             boolean isBooleanOrNumeric = checkIfValueIsBooleanOrNumeric(string);
 
@@ -526,9 +530,6 @@ private Object parsedUnquotedText(char c, boolean strictMode) {
             throw new JSONException(String.format("Value is not surrounded by quotes: %s", string));
         }
 
-        if (string.isEmpty()) {
-            throw this.syntaxError("Missing value");
-        }
         return JSONObject.stringToValue(string);
     }
 

diff --git a/src/test/java/org/json/junit/JSONParserConfigurationTest.java b/src/test/java/org/json/junit/JSONParserConfigurationTest.java
@@ -218,6 +218,7 @@ public void verifyMaxDepthThenDuplicateKey() {
      */
     private List<String> getNonCompliantJSONList() {
         return Arrays.asList(
+            "[[a]]",
             "[]asdf",
             "[]]",
             "[]}",