From 0d30f12f3f64dbe58bd816597856fb34d9e31fcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20K=C3=B6gl?= Date: Sat, 28 Oct 2017 12:46:41 +0200 Subject: Perform input validation in JsonPoiner --- jsonpointer.py | 8 ++++++++ tests.py | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/jsonpointer.py b/jsonpointer.py index 097627f..fd54569 100644 --- a/jsonpointer.py +++ b/jsonpointer.py @@ -167,8 +167,16 @@ class JsonPointer(object): # Array indices must not contain: # leading zeros, signs, spaces, decimals, etc _RE_ARRAY_INDEX = re.compile('0|[1-9][0-9]*$') + _RE_INVALID_ESCAPE = re.compile('(~[^01]|~$)') def __init__(self, pointer): + + # validate escapes + invalid_escape = self._RE_INVALID_ESCAPE.search(pointer) + if invalid_escape: + raise JsonPointerException('Found invalid escape {0}'.format( + invalid_escape.group())) + parts = pointer.split('/') if parts.pop(0) != '': raise JsonPointerException('location must starts with /') diff --git a/tests.py b/tests.py index 21483eb..54ca436 100755 --- a/tests.py +++ b/tests.py @@ -126,6 +126,12 @@ class WrongInputTests(unittest.TestCase): doc = [0, 1, 2] self.assertRaises(JsonPointerException, resolve_pointer, doc, '/10') + def test_trailing_escape(self): + self.assertRaises(JsonPointerException, JsonPointer, '/foo/bar~') + + def test_invalid_escape(self): + self.assertRaises(JsonPointerException, JsonPointer, '/foo/bar~2') + class ToLastTests(unittest.TestCase): -- cgit v1.2.1