Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for trailing content when parsing JSON #5048

Closed
wants to merge 1 commit into from
Closed

Check for trailing content when parsing JSON #5048

wants to merge 1 commit into from

Conversation

findepi
Copy link
Member

@findepi findepi commented Jun 15, 2022

Before the change, various JSON parsing routines would ignore content
after a } matching to the opening { is found. This commit changes
the common parsing pattern to use a newly introduced utility method
which checks for trailing payload and fails if any is found.

Follows #4537 (comment)

@findepi
Copy link
Member Author

findepi commented Jun 15, 2022

Currently, based on #4537, since it fixes also code being added there.

@findepi findepi mentioned this pull request Jun 15, 2022
Merged
nastra
nastra approved these changes Jun 15, 2022
View reviewed changes
Copy link
Contributor

@nastra nastra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with one question

core/src/test/java/org/apache/iceberg/TestSnapshotRefParser.java Outdated Show resolved Hide resolved
@findepi findepi force-pushed the findepi/reject-trailing-json-garbage branch from 314e6fb to 3661c85 Compare June 15, 2022 13:49
@findepi findepi force-pushed the findepi/reject-trailing-json-garbage branch from 3661c85 to 3e684b7 Compare June 23, 2022 12:15
@findepi
Check for trailing content when parsing JSON
b40c777 
Before the change, various JSON parsing routines would ignore content
after a `}` matching to the opening `{` is found. This commit changes
the common parsing pattern to use a newly introduced utility method
which checks for trailing payload and fails if any is found.
@findepi findepi force-pushed the findepi/reject-trailing-json-garbage branch from 3e684b7 to b40c777 Compare June 23, 2022 12:57
@findepi
Copy link
Member Author

findepi commented Jun 23, 2022

I think I don't know how to fix the iceberg-mr classpath to include jackson databind, with the right version.

@github-actions github-actions bot added the MR label Jun 23, 2022
@rdblue
Copy link
Contributor

rdblue commented Jun 28, 2022

@findepi, what problem is this fixing? Did you see this in practice with a corrupt file?

@findepi
Copy link
Member Author

findepi commented Jun 28, 2022

@rdblue thank for spending time and reviewing my PR.

Did you see this in practice with a corrupt file?

I haven't.
Iceberg library doesn't write such invalid content.

i also don't see currently that this could be exploited for security reasons

what problem is this fixing?

we incorrectly accept an incorrect input which ought to be rejected

@findepi
Copy link
Member Author

findepi commented Jul 22, 2022

we have a bug in the library where we accept invalid JSON payloads (files) just because we stop parsing at some point.
i think this should be fixed.

@findepi
Copy link
Member Author

findepi commented Jul 29, 2022

@danielcweeks do you have opinion about this PR?

@findepi findepi closed this Aug 23, 2022
@findepi findepi deleted the findepi/reject-trailing-json-garbage branch August 23, 2022 12:56
@findepi findepi mentioned this pull request Sep 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nastra nastra nastra approved these changes

@rdblue rdblue Awaiting requested review from rdblue

@danielcweeks danielcweeks Awaiting requested review from danielcweeks

Assignees
No one assigned
Labels
build core MR spark
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@findepi @rdblue @nastra