Fix CVE-2023-51074

2024-03-01 11:00:29 +08:00 · 2024-03-01 11:00:29 +08:00 · 24c09a61cc
commit 24c09a61cc
parent ab905fb761
2 changed files with 78 additions and 5 deletions
--- a/CVE-2023-51074.patch
+++ b/CVE-2023-51074.patch
@ -0,0 +1,70 @@
+From 71a09c1193726c010917f1157ecbb069ad6c3e3b Mon Sep 17 00:00:00 2001
+From: Tobi <22715034+twobiers@users.noreply.github.com>
+Date: Thu, 18 Jan 2024 16:48:57 +0100
+Subject: [PATCH] Check for the existence of the next significant bracket
+ (#985)
+
+---
+ .../jayway/jsonpath/internal/path/PathCompiler.java  |  6 +++++-
+ .../src/test/java/com/jayway/jsonpath/Issue_970.java | 12 ++++++++++++
+ .../src/test/java/com/jayway/jsonpath/Issue_973.java | 12 ++++++++++++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 json-path/src/test/java/com/jayway/jsonpath/Issue_970.java
+ create mode 100644 json-path/src/test/java/com/jayway/jsonpath/Issue_973.java
+
+diff --git a/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java b/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java
+index e4fcd31..e0fb96e 100644
+--- a/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java
+++ b/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java
+@@ -374,7 +374,11 @@ public class PathCompiler {
+             readPosition++;
+         }
+ 
+-        int endBracketIndex = path.indexOfNextSignificantChar(endPosition, CLOSE_SQUARE_BRACKET) + 1;
+        int endBracketIndex = path.indexOfNextSignificantChar(endPosition, CLOSE_SQUARE_BRACKET);
+        if(endBracketIndex == -1) {
+            fail("Property has not been closed - missing closing ]");
+        }
+        endBracketIndex++;
+ 
+         path.setPosition(endBracketIndex);
+ 
+diff --git a/json-path/src/test/java/com/jayway/jsonpath/Issue_970.java b/json-path/src/test/java/com/jayway/jsonpath/Issue_970.java
+new file mode 100644
+index 0000000..25f52b7
+--- /dev/null
+++ b/json-path/src/test/java/com/jayway/jsonpath/Issue_970.java
+@@ -0,0 +1,12 @@
+package com.jayway.jsonpath;
+
+import org.junit.Test;
+
+import static org.assertj.core.api.Assertions.assertThatNoException;
+
+public class Issue_970 {
+    @Test
+    public void shouldNotCauseStackOverflow() {
+        assertThatNoException().isThrownBy(() -> Criteria.where("[']',"));
+    }
+}
+diff --git a/json-path/src/test/java/com/jayway/jsonpath/Issue_973.java b/json-path/src/test/java/com/jayway/jsonpath/Issue_973.java
+new file mode 100644
+index 0000000..a1d05ac
+--- /dev/null
+++ b/json-path/src/test/java/com/jayway/jsonpath/Issue_973.java
+@@ -0,0 +1,12 @@
+package com.jayway.jsonpath;
+
+import org.junit.Test;
+
+import static org.assertj.core.api.Assertions.*;
+
+public class Issue_973 {
+    @Test
+    public void shouldNotCauseStackOverflow() {
+        assertThatNoException().isThrownBy(() -> Criteria.parse("@[\"\",/\\"));
+    }
+}
+-- 
+2.33.0
+
--- a/json-path.spec
+++ b/json-path.spec
@ -1,6 +1,6 @@
 Name:                json-path
 Version:             2.1.0
-Release:             2
+Release:             3
 Summary:             Java JsonPath implementation
 License:             ASL 2.0 and BSD
 URL:                 https://github.com/jayway/JsonPath
@ -9,6 +9,8 @@ Source1:             https://repo1.maven.org/maven2/com/jayway/jsonpath/json-pat
 Source2:             https://repo1.maven.org/maven2/com/jayway/jsonpath/json-path-assert/%{version}/json-path-assert-%{version}.pom
 Patch0:              %{name}-2.1.0-JsonOrg.patch
 Patch1:              fix-Upgrade-to-Hamcrest-2.2.patch
+# https://github.com/json-path/JsonPath/commit/71a09c1193726c010917f1157ecbb069ad6c3e3b
+Patch2:              CVE-2023-51074.patch
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-databind)
 BuildRequires:       mvn(com.google.code.gson:gson) mvn(commons-io:commons-io) mvn(junit:junit)
 BuildRequires:       mvn(net.minidev:json-smart) mvn(org.apache.felix:maven-bundle-plugin)
@ -24,13 +26,11 @@ Summary:             Javadoc for %{name}
 This package contains javadoc for %{name}.

 %prep
-%setup -q -n JsonPath-%{name}-%{version}
+%autosetup -n JsonPath-%{name}-%{version} -p1
 find -type f -name *.jar -print -delete
 find -type f -name *.class -print -delete
 cp -p %{SOURCE1} %{name}/pom.xml
 cp -p %{SOURCE2} %{name}-assert/pom.xml
-%patch0 -p1
-%patch1 -p1
 rm -rf %{name}/src/main/java/com/jayway/jsonpath/spi/json/JsonOrg*.java \
 %{name}/src/main/java/com/jayway/jsonpath/spi/mapper/JsonOrg*.java \
 %{name}/src/test/java/com/jayway/jsonpath/JsonOrg*.java
@ -94,7 +94,7 @@ done
 %mvn_package :%{name}-parent __noinstall

 %build
-%mvn_build -- -Dproject.build.sourceEncoding=UTF-8
+%mvn_build -f -- -Dproject.build.sourceEncoding=UTF-8 -Dsource=8

 %install
 %mvn_install
@ -107,6 +107,9 @@ done
 %license LICENSE

 %changelog
+* Fri Mar 01 2024 yaoxin <yao_xin001@hoperun.com> - 2.1.0-3
+- Fix CVE-2023-51074
+
 * Sat Oct 07 2023 wangkai <13474090681@163.com> - 2.1.0-2
 - Fix build error for hamcrest-2.2