fix(#887): double array breaking JSONTokener.nextValue

change(#887): input validation
2025-08-02 11:05:28 -04:00 · 2024-04-21 11:03:15 +01:00 · 2024-04-21 11:03:15 +01:00 · 3dcd5b2fab
commit 3dcd5b2fab
parent ce074e9f9a
3 changed files with 20 additions and 20 deletions
--- a/src/main/java/org/json/JSONArray.java
+++ b/src/main/java/org/json/JSONArray.java
@ -133,6 +133,17 @@ public class JSONArray implements Iterable<Object> {
                    case ']':
                        if (jsonParserConfiguration.isStrictMode()) {
                            nextChar = x.nextClean();
+
+                            if (nextChar == ','){
+                                x.back();
+                                return;
+                            }
+
+                            if (nextChar == ']'){
+                                x.back();
+                                return;
+                            }
+
                            if (nextChar != 0) {
                                throw x.syntaxError("invalid character found after end of array: " + nextChar);
                            }
@ -161,27 +172,14 @@ public class JSONArray implements Iterable<Object> {
        char cursor = x.getPrevious();

        boolean isEndOfArray = cursor == ']';
-        boolean nextCharacterIsNotEoF = x.nextClean() != 0;
+        char nextChar = x.nextClean();
+        boolean nextCharacterIsNotEoF = nextChar != 0;

        if (isEndOfArray && nextCharacterIsNotEoF) {
-            String completeInput = collectCompleteInput(x);
-            throw new JSONException("Provided Array is not compliant with strict mode guidelines: " + completeInput);
+            throw x.syntaxError(String.format("Provided Array is not compliant with strict mode guidelines: '%s'", nextChar));
        }
    }

-    private String collectCompleteInput(JSONTokener x) {
-        String nonCompliantStringAfterArray = collectNonCompliantStringAfterArray(x);
-        return myArrayList + nonCompliantStringAfterArray;
-    }
-
-    private String collectNonCompliantStringAfterArray(JSONTokener x) {
-        StringBuilder sb = new StringBuilder().append(x.getPrevious());
-        while(x.nextClean() != 0){
-            sb.append(x.getPrevious());
-        }
-        return sb.toString();
-    }
-
    /**
     * Construct a JSONArray from a source JSON text.
     *
--- a/src/main/java/org/json/JSONTokener.java
+++ b/src/main/java/org/json/JSONTokener.java
@ -440,7 +440,7 @@ public class JSONTokener {
            case '[':
                this.back();
                try {
-                    return new JSONArray(this);
+                    return new JSONArray(this, jsonParserConfiguration);
                } catch (StackOverflowError e) {
                    throw new JSONException("JSON Array or Object depth too large to process.", e);
                }
@ -516,6 +516,10 @@ public class JSONTokener {

        String string = sb.toString().trim();

+        if (string.isEmpty()) {
+            throw this.syntaxError("Missing value");
+        }
+
        if (strictMode) {
            boolean isBooleanOrNumeric = checkIfValueIsBooleanOrNumeric(string);

@ -526,9 +530,6 @@ public class JSONTokener {
            throw new JSONException(String.format("Value is not surrounded by quotes: %s", string));
        }

-        if (string.isEmpty()) {
-            throw this.syntaxError("Missing value");
-        }
        return JSONObject.stringToValue(string);
    }

--- a/src/test/java/org/json/junit/JSONParserConfigurationTest.java
+++ b/src/test/java/org/json/junit/JSONParserConfigurationTest.java
@ -218,6 +218,7 @@ public class JSONParserConfigurationTest {
     */
    private List<String> getNonCompliantJSONList() {
        return Arrays.asList(
+            "[[a]]",
            "[]asdf",
            "[]]",
            "[]}",