Parsing JSON with edge cases

Updated . Posted . Visible to the public.

The linked article shows that there are unclear parts in the JSON specification and that different parsers treat them differently (which could lead to security vulnerabilities in certain cases).

I was curious what Ruby does (Ruby 2.6.6 with gem json 2.3.0, implementing RFC 7159):

Duplicate Keys 

irb(main):001:0> require 'json'
=> true
irb(main):002:0> JSON.parse('{"qty": 1, "qty": -1}')
=> {"qty"=>-1}

Character Collision 

irb(main):009:0> JSON.parse('{"qty": 1, "qty\ud800": -1}')
JSON::ParserError (487: incomplete surrogate pair at 'qty\ud800": -1}')

irb(main):007:0> JSON.parse('{"qty": 1, "qty"": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "qty"": -1}')

This one was unexpected for me:

irb(main):008:0> JSON.parse('{"qty": 1, "qt\y": -1}')
=> {"qty"=>-1}

Comment Truncation 

irb(main):010:0> JSON.parse('{"qty": 1, "extra": 1/*, "qty": -1, "extra2": 2*/}')
=> {"qty"=>1, "extra"=>1}

irb(main):011:0> JSON.parse('{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')

irb(main):012:0> JSON.parse('{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')

irb(main):013:0> JSON.parse('{"qty": 1, "extra": "a"//, "qty": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a"//, "qty": -1}')

Number Decoding 

irb(main):014:0> JSON.parse('{"qty": 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

irb(main):015:0> JSON.parse('{"qty": -999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>-999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

irb(main):016:0> JSON.parse('{"qty": 1.0e4096}')
=> {"qty"=>Infinity}

irb(main):017:0> JSON.parse('{"qty": -1.0e4096}')
=> {"qty"=>-Infinity}
labs.bishopfox.com
Judith Roth
Say thanks1
Last edit
Judith Roth
License
Source code in this card is licensed under the MIT License.
Posted by Judith Roth to makandra dev (2021-02-26 11:11)
This website uses short-lived cookies to improve usability.
or learn more