Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix + in json #3663

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

fix + in json #3663

wants to merge 6 commits into from
+18 −6

Conversation

shargon
Copy link
Member

@shargon shargon commented Jan 8, 2025

Description

Fix #2612
Based on https://github.com/neo-project/neo/pull/2050/files

Type of change

  • Optimization (the change is only an optimization)
  • Style (the change is only a code style for better maintenance or standard purpose)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

  • JsonTest_Object

Test Configuration:

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

shargon
shargon commented Jan 8, 2025
View reviewed changes
src/Neo.Json/JToken.cs Outdated Show resolved Hide resolved
@roman-khimov
Copy link
Contributor

This can lead to some state diff, needs to be checked.

cschuchardt88
cschuchardt88 reviewed Jan 15, 2025
View reviewed changes
Copy link
Member

@cschuchardt88 cschuchardt88 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how you do it Check out https://www.unicode.org/charts/PDF/U0000.pdf for Basic Latin Unicode block (U+0021-U+007F).

src/Neo.Json/JToken.cs Outdated Show resolved Hide resolved
src/Neo.Json/JToken.cs Outdated Show resolved Hide resolved
cschuchardt88
cschuchardt88 reviewed Jan 17, 2025
View reviewed changes
Copy link
Member

@cschuchardt88 cschuchardt88 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shargon
I fixed the issue on the branch for you. Check and test changes.

cschuchardt88
cschuchardt88 reviewed Jan 17, 2025
View reviewed changes
src/Neo.Json/JString.cs
@@ -76,7 +76,7 @@ public override T GetEnum<T>(bool ignoreCase = false)

internal override void Write(Utf8JsonWriter writer)
{
writer.WriteStringValue(Value);
writer.WriteRawValue($"\"{DefaultEncoder.Encode(Value).Replace("\\u002B", "+")}\"");
Copy link
Member

@cschuchardt88 cschuchardt88 Jan 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keep in mind allowing the + (plus) sign is a security risk, reference: dotnet/runtime#35281
Only for XSS injection though.

Note: After searching for hours with no luck for solution. I came up with this solution on my own. Its dirty and could have bugs or exploits, however am 99% sure we don't. Need more tests.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it works with newtonsoft (according your reference)

Copy link
Member

@cschuchardt88 cschuchardt88 Jan 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Newtonsoft uses it own custom library. It doesn't use dotnet built-in JSON libraries.

tests/Neo.UnitTests/SmartContract/UT_JsonSerializer.cs

Assert.AreEqual(@"{""\uAAAA"":true}", parsed.ToString());
json = @" {""测试"": true}";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to allow UnicodeRanges.CjkUnifiedIdeographs for these characters for json DefaultEncoder.

AnnaShaleva
AnnaShaleva reviewed Jan 20, 2025
View reviewed changes
tests/Neo.UnitTests/SmartContract/UT_JsonSerializer.cs
@@ -175,10 +175,13 @@ public void JsonTest_Object()

Assert.AreEqual(@"{""test"":true}", parsed.ToString());

json = @" {""\uAAAA"": true}";
json = @" {""test"":""+""} ";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we keep this test-case with \uAAAA? It's a nice compatibility test for NeoGo.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact I think this will be dropped, no way to do it without unsafe relaxing if we use native json

Copy link
Member

@cschuchardt88 cschuchardt88 Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesnt use unsafe relaxing currently. And its working fine now.

Copy link
Member Author

@shargon shargon Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace is a dirty fix, performance is affected always, not only when it contains +

Copy link
Member

@cschuchardt88 cschuchardt88 Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RegEx.UnEscape? https://learn.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.unescape?view=net-9.0

Could use: https://github.com/dotnet/runtime/blob/4c224ab16d287c17dbc54236638db91266071465/src/libraries/System.Text.Json/src/System/Text/Json/Reader/JsonReaderHelper.Unescaping.cs#L69

src/Neo.Json/JToken.cs

static JToken()
{
DefaultEncoder = JavaScriptEncoder.Create(UnicodeRanges.BasicLatin, UnicodeRanges.CjkUnifiedIdeographs);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it change the old behaviour except the + symbol?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checkout #3663 (comment), but it should be the exactly the same with the addition of the + (plus sign).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AnnaShaleva AnnaShaleva AnnaShaleva left review comments

@Jim8y Jim8y Jim8y left review comments

@cschuchardt88 cschuchardt88 cschuchardt88 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@shargon shargon

@cschuchardt88 cschuchardt88

Labels
Work in Progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

'+' still replaced by \u002B
5 participants
@shargon @roman-khimov @cschuchardt88 @Jim8y @AnnaShaleva