From 0d30f12f3f64dbe58bd816597856fb34d9e31fcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20K=C3=B6gl?= <stefan@skoegl.net>
Date: Sat, 28 Oct 2017 12:46:41 +0200
Subject: Perform input validation in JsonPoiner

---
 jsonpointer.py | 8 ++++++++
 tests.py       | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/jsonpointer.py b/jsonpointer.py
index 097627f..fd54569 100644
--- a/jsonpointer.py
+++ b/jsonpointer.py
@@ -167,8 +167,16 @@ class JsonPointer(object):
     # Array indices must not contain:
     # leading zeros, signs, spaces, decimals, etc
     _RE_ARRAY_INDEX = re.compile('0|[1-9][0-9]*$')
+    _RE_INVALID_ESCAPE = re.compile('(~[^01]|~$)')
 
     def __init__(self, pointer):
+
+        # validate escapes
+        invalid_escape = self._RE_INVALID_ESCAPE.search(pointer)
+        if invalid_escape:
+            raise JsonPointerException('Found invalid escape {0}'.format(
+                invalid_escape.group()))
+
         parts = pointer.split('/')
         if parts.pop(0) != '':
             raise JsonPointerException('location must starts with /')
diff --git a/tests.py b/tests.py
index 21483eb..54ca436 100755
--- a/tests.py
+++ b/tests.py
@@ -126,6 +126,12 @@ class WrongInputTests(unittest.TestCase):
         doc = [0, 1, 2]
         self.assertRaises(JsonPointerException, resolve_pointer, doc, '/10')
 
+    def test_trailing_escape(self):
+        self.assertRaises(JsonPointerException, JsonPointer, '/foo/bar~')
+
+    def test_invalid_escape(self):
+        self.assertRaises(JsonPointerException, JsonPointer, '/foo/bar~2')
+
 
 class ToLastTests(unittest.TestCase):
 
-- 
cgit v1.2.1