Boris Capitanu created CXF-7287:
-----------------------------------
Summary: Incorrect JSON decoding in JsonMapObjectReaderWriter when
commas are used in value
Key: CXF-7287
URL: https://issues.apache.org/jira/browse/CXF-7287
Project: CXF
Issue Type: Bug
Affects Versions: 3.1.7
Environment: OSX, Tomcat8, Java8
Reporter: Boris Capitanu
*Background*:
Discovered when using JWT tokens. In
org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer there is a line of
code that reads:
{code}
JwtClaims theClaims = new
JwtClaims(getReader().fromJson(getDecodedJwsPayload()));
{code}
If the method "getDecodedJwsPayload()" returns a JSON string like:
{noformat}
"\"sub\":\"admin\",\"roles\":\"admin,user\",\"iss\":\"auth0\""
{noformat}
then the "fromJson" method returns an incorrect Map.
*The Bug*
The problem occurs in org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter
(defined in cxf-rt-rs-json-basic-3.1.7.jar) in the _readJsonObjectAsSettable_
method. Specifically, line 188 reads:
{code}
int commaIndex = getCommaIndex(json, sepIndex + j);
{code}
which will cause the wrong comma index to be found for the JSON key "roles" in
my example above (apparently commaIndex is used to find the "next json key"
position in the json string).
I'm also thinking that it's possible that line 166 could be a problem as well,
if a JSON value would ever contain an (escaped) quote character.
This JSON parsing seems fragile... I wonder why a "standard" JSON library
wasn't used (perhaps just to not add an additional dependency?)
Proper parsing of commas in JSON values is important for JWT purposes as the
constructor of _org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext_
expects role claims to be comma-separated.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
