packages/json-path
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!3 Fix CVE-2023-51074

Browse Source 
From: @starlet-dx 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2024-03-04 02:32:38 +00:00 committed by Gitee
commit 66944a0207
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 78 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
CVE-2023-51074.patch Normal file
View File

@ -0,0 +1,70 @@
From 71a09c1193726c010917f1157ecbb069ad6c3e3b Mon Sep 17 00:00:00 2001
From: Tobi <22715034+twobiers@users.noreply.github.com>
Date: Thu, 18 Jan 2024 16:48:57 +0100
Subject: [PATCH] Check for the existence of the next significant bracket
(#985)
---
.../jayway/jsonpath/internal/path/PathCompiler.java | 6 +++++-
.../src/test/java/com/jayway/jsonpath/Issue_970.java | 12 ++++++++++++
.../src/test/java/com/jayway/jsonpath/Issue_973.java | 12 ++++++++++++
3 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 json-path/src/test/java/com/jayway/jsonpath/Issue_970.java
create mode 100644 json-path/src/test/java/com/jayway/jsonpath/Issue_973.java
diff --git a/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java b/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java
index e4fcd31..e0fb96e 100644
--- a/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java
+++ b/json-path/src/main/java/com/jayway/jsonpath/internal/path/PathCompiler.java
@@ -374,7 +374,11 @@ public class PathCompiler {
readPosition++;
}
- int endBracketIndex = path.indexOfNextSignificantChar(endPosition, CLOSE_SQUARE_BRACKET) + 1;
+ int endBracketIndex = path.indexOfNextSignificantChar(endPosition, CLOSE_SQUARE_BRACKET);
+ if(endBracketIndex == -1) {
+ fail("Property has not been closed - missing closing ]");
+ }
+ endBracketIndex++;
path.setPosition(endBracketIndex);
diff --git a/json-path/src/test/java/com/jayway/jsonpath/Issue_970.java b/json-path/src/test/java/com/jayway/jsonpath/Issue_970.java
new file mode 100644
index 0000000..25f52b7
--- /dev/null
+++ b/json-path/src/test/java/com/jayway/jsonpath/Issue_970.java
@@ -0,0 +1,12 @@
+package com.jayway.jsonpath;
+
+import org.junit.Test;
+
+import static org.assertj.core.api.Assertions.assertThatNoException;
+
+public class Issue_970 {
+ @Test
+ public void shouldNotCauseStackOverflow() {
+ assertThatNoException().isThrownBy(() -> Criteria.where("[']',"));
+ }
+}
diff --git a/json-path/src/test/java/com/jayway/jsonpath/Issue_973.java b/json-path/src/test/java/com/jayway/jsonpath/Issue_973.java
new file mode 100644
index 0000000..a1d05ac
--- /dev/null
+++ b/json-path/src/test/java/com/jayway/jsonpath/Issue_973.java
@@ -0,0 +1,12 @@
+package com.jayway.jsonpath;
+
+import org.junit.Test;
+
+import static org.assertj.core.api.Assertions.*;
+
+public class Issue_973 {
+ @Test
+ public void shouldNotCauseStackOverflow() {
+ assertThatNoException().isThrownBy(() -> Criteria.parse("@[\"\",/\\"));
+ }
+}
--
2.33.0

13
json-path.spec
View File

@ -1,6 +1,6 @@
Name: json-path Name: json-path
Version: 2.1.0 Version: 2.1.0
Release: 2 Release: 3
Summary: Java JsonPath implementation Summary: Java JsonPath implementation
License: ASL 2.0 and BSD License: ASL 2.0 and BSD
URL: https://github.com/jayway/JsonPath URL: https://github.com/jayway/JsonPath
@ -9,6 +9,8 @@ Source1: https://repo1.maven.org/maven2/com/jayway/jsonpath/json-pat
Source2: https://repo1.maven.org/maven2/com/jayway/jsonpath/json-path-assert/%{version}/json-path-assert-%{version}.pom Source2: https://repo1.maven.org/maven2/com/jayway/jsonpath/json-path-assert/%{version}/json-path-assert-%{version}.pom
Patch0: %{name}-2.1.0-JsonOrg.patch Patch0: %{name}-2.1.0-JsonOrg.patch
Patch1: fix-Upgrade-to-Hamcrest-2.2.patch Patch1: fix-Upgrade-to-Hamcrest-2.2.patch
# https://github.com/json-path/JsonPath/commit/71a09c1193726c010917f1157ecbb069ad6c3e3b
Patch2: CVE-2023-51074.patch
BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-databind) BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-databind)
BuildRequires: mvn(com.google.code.gson:gson) mvn(commons-io:commons-io) mvn(junit:junit) BuildRequires: mvn(com.google.code.gson:gson) mvn(commons-io:commons-io) mvn(junit:junit)
BuildRequires: mvn(net.minidev:json-smart) mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: mvn(net.minidev:json-smart) mvn(org.apache.felix:maven-bundle-plugin)
@ -24,13 +26,11 @@ Summary: Javadoc for %{name}
This package contains javadoc for %{name}. This package contains javadoc for %{name}.
%prep %prep
%setup -q -n JsonPath-%{name}-%{version} %autosetup -n JsonPath-%{name}-%{version} -p1
find -type f -name *.jar -print -delete find -type f -name *.jar -print -delete
find -type f -name *.class -print -delete find -type f -name *.class -print -delete
cp -p %{SOURCE1} %{name}/pom.xml cp -p %{SOURCE1} %{name}/pom.xml
cp -p %{SOURCE2} %{name}-assert/pom.xml cp -p %{SOURCE2} %{name}-assert/pom.xml
%patch0 -p1
%patch1 -p1
rm -rf %{name}/src/main/java/com/jayway/jsonpath/spi/json/JsonOrg*.java \ rm -rf %{name}/src/main/java/com/jayway/jsonpath/spi/json/JsonOrg*.java \
%{name}/src/main/java/com/jayway/jsonpath/spi/mapper/JsonOrg*.java \ %{name}/src/main/java/com/jayway/jsonpath/spi/mapper/JsonOrg*.java \
%{name}/src/test/java/com/jayway/jsonpath/JsonOrg*.java %{name}/src/test/java/com/jayway/jsonpath/JsonOrg*.java
@ -94,7 +94,7 @@ done
%mvn_package :%{name}-parent __noinstall %mvn_package :%{name}-parent __noinstall
%build %build
%mvn_build -- -Dproject.build.sourceEncoding=UTF-8 %mvn_build -f -- -Dproject.build.sourceEncoding=UTF-8 -Dsource=8
%install %install
%mvn_install %mvn_install
@ -107,6 +107,9 @@ done
%license LICENSE %license LICENSE
%changelog %changelog
* Fri Mar 01 2024 yaoxin <yao_xin001@hoperun.com> - 2.1.0-3
- Fix CVE-2023-51074
* Sat Oct 07 2023 wangkai <13474090681@163.com> - 2.1.0-2 * Sat Oct 07 2023 wangkai <13474090681@163.com> - 2.1.0-2
- Fix build error for hamcrest-2.2 - Fix build error for hamcrest-2.2