Read more

Parsing JSON with edge cases

Judith Roth
February 26, 2021Software engineer at makandra GmbH

The linked article shows that there are unclear parts in the JSON specification and that different parsers treat them differently (which could lead to security vulnerabilities in certain cases).

Illustration UI/UX Design

UI/UX Design by makandra brand

We make sure that your target audience has the best possible experience with your digital product. You get:

  • Design tailored to your audience
  • Proven processes customized to your needs
  • An expert team of experienced designers
Read more Show archive.org snapshot

I was curious what Ruby does (Ruby 2.6.6 with gem json 2.3.0, implementing RFC 7159):

Duplicate Keys

irb(main):001:0> require 'json'
=> true
irb(main):002:0> JSON.parse('{"qty": 1, "qty": -1}')
=> {"qty"=>-1}

Character Collision

irb(main):009:0> JSON.parse('{"qty": 1, "qty\ud800": -1}')
JSON::ParserError (487: incomplete surrogate pair at 'qty\ud800": -1}')
irb(main):007:0> JSON.parse('{"qty": 1, "qty"": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "qty"": -1}')

This one was unexpected for me:

irb(main):008:0> JSON.parse('{"qty": 1, "qt\y": -1}')
=> {"qty"=>-1}

Comment Truncation

irb(main):010:0> JSON.parse('{"qty": 1, "extra": 1/*, "qty": -1, "extra2": 2*/}')
=> {"qty"=>1, "extra"=>1}
irb(main):011:0> JSON.parse('{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": a/*, "qty": -1, "extra2": b*/}')
irb(main):012:0> JSON.parse('{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a/*", "qty": -1, "extra2": "b"*/}')
irb(main):013:0> JSON.parse('{"qty": 1, "extra": "a"//, "qty": -1}')
JSON::ParserError (784: unexpected token at '{"qty": 1, "extra": "a"//, "qty": -1}')

Number Decoding

irb(main):014:0> JSON.parse('{"qty": 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}
irb(main):015:0> JSON.parse('{"qty": -999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}')
=> {"qty"=>-999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}
irb(main):016:0> JSON.parse('{"qty": 1.0e4096}')
=> {"qty"=>Infinity}
irb(main):017:0> JSON.parse('{"qty": -1.0e4096}')
=> {"qty"=>-Infinity}
Posted by Judith Roth to makandra dev (2021-02-26 12:11)