Read more

Parsing JSON with edge cases

Deleted user #4117
February 26, 2021Software engineer
Say thanks1

The linked article shows that there are unclear parts in the JSON specification and that different parsers treat them differently (which could lead to security vulnerabilities in certain cases).

Illustration online protection

Rails professionals since 2007

Our laser focus on a single technology has made us a leader in this space. Need help?

  • We build a solid first version of your product
  • We train your development team
  • We rescue your project in trouble
Read more Show archive.org snapshot

I was curious what Ruby does (Ruby 2.6.6 with gem json 2.3.0, implementing RFC 7159):

Duplicate Keys 

irb(main):001:0> require 'json'
=> true
irb(main):002:0> JSON.parse('{"qty": 1, "qty": -1}')
=> {"qty"=>-1}

Character Collision 

irb(main):009:0> JSON.parse('{"qty": 1, "qty\ud800": -1}')
JSON::ParserError (487: incomplete surrogate pair at 'qty\ud800": -1}')

irb(main):007:0> JSON.parse('{"qty": 1, "qty"": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "qty"": -1}')

This one was unexpected for me:

irb(main):008:0> JSON.parse('{"qty": 1, "qt\y": -1}')
=> {"qty"=>-1}

Comment Truncation 

irb(main):010:0> JSON.parse('{"qty": 1, "extra": 1/*, "qty": -1, "extra2": 2*/}')
=> {"qty"=>1, "extra"=>1}

irb(main):011:0> JSON.parse('{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')

irb(main):012:0> JSON.parse('{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')

irb(main):013:0> JSON.parse('{"qty": 1, "extra": "a"//, "qty": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a"//, "qty": -1}')

Number Decoding 

irb(main):014:0> JSON.parse('{"qty": 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

irb(main):015:0> JSON.parse('{"qty": -999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>-999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

irb(main):016:0> JSON.parse('{"qty": 1.0e4096}')
=> {"qty"=>Infinity}

irb(main):017:0> JSON.parse('{"qty": -1.0e4096}')
=> {"qty"=>-Infinity}
labs.bishopfox.com
License for source code
Posted to makandra dev (2021-02-26 12:11)
This website uses short-lived cookies to improve usability.
or learn more