Merge pull request #72 from dpeger/fixes/v2.3/parse-numberformatexception

[#60][#62] Unchecked Exception in Parser

Author: UrielCh

README.md

@@ -6,6 +6,9 @@
 
 # Changelog
 
+### *V 2.3.1*
+* Fixes [issue #60](https://github.com/netplex/json-smart-v2/issues/60) (CVE-2021-27568)
+
 ### *V 2.3*
 * Patch 37 [issue 37](http://code.google.com/p/json-smart/issues/detail?id=37)
 * explicite support of char 127 [issue 18](http://code.google.com/p/json-smart/issues/detail?id=18)

accessors-smart/pom.xml

@@ -3,22 +3,22 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>net.minidev</groupId>
     <artifactId>accessors-smart</artifactId>
-    <version>1.2-SNAPSHOT</version>
+    <version>2.3.1</version>
     <name>ASM based accessors helper used by json-smart</name>
     <description>Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls.
     </description>
     <packaging>bundle</packaging>
-    <url>http://www.minidev.net/</url>
+    <url>https://urielch.github.io/</url>
     <organization>
         <name>Chemouni Uriel</name>
-        <url>http://www.minidev.net/</url>
+        <url>https://urielch.github.io/</url>
     </organization>
     <developers>
         <developer>
             <id>uriel</id>
             <name>Uriel Chemouni</name>
             <email>[email protected]</email>
-            <timezone>GMT-7</timezone>
+            <timezone>GMT+3</timezone>
             <roles>
             </roles>
         </developer>
@@ -33,8 +33,8 @@
     </licenses>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>1.5</maven.compiler.source>
-        <maven.compiler.target>1.5</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
     </properties>
     <dependencies>
         <dependency>
@@ -51,7 +51,7 @@
     </dependencies>
 
     <!-- updated on 29/10/2015 -->
-                <!--
+    <!--
     <reporting>
         <plugins>
             <plugin>
@@ -92,7 +92,11 @@
                 </property>
             </activation>
             <properties>
-                <gpg.keyname>8E322ED0</gpg.keyname>
+                <!-- My old Is back -->
+                <!-- <gpg.keyname>2C8DF6EC</gpg.keyname> -->
+                <!-- 2021 rsa4096 key-->
+                <gpg.keyname>53BE126D</gpg.keyname>
+                <!-- <gpg.keyname>8E322ED0</gpg.keyname> -->
                 <!-- <gpg.keyname>Uriel Chemouni (dev) <[email protected]></gpg.keyname> -->
                 <!-- GPG Key ID to use for signing -->
             </properties>
@@ -196,8 +200,8 @@
                 <version>3.3</version>
                 <configuration>
                     <encoding>UTF-8</encoding>
-                    <source>1.6</source>
-                    <target>1.6</target>
+                    <source>${maven.compiler.source}</source>
+                    <target>${maven.compiler.target}</target>
                     <excludes>
                         <exclude>**/.svn/*</exclude>
                         <exclude>**/.svn</exclude>
@@ -229,7 +233,7 @@
                 <!-- updated on 29/07/2015 -->
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
-                <version>2.10.3</version>
+                <version>2.10.4</version>
                 <!-- ONLY NEEDED With jdk 1.7+ -->
                 <configuration>
                     <failOnError>false</failOnError>
@@ -247,7 +251,7 @@
             <plugin>
                 <groupId>org.apache.felix</groupId>
                 <artifactId>maven-bundle-plugin</artifactId>
-                <version>3.3.0</version> <!-- 3.0.0 need java 7+ -->
+                <version>3.5.1</version> <!-- 3.0.0 need java 7+ -->
                 <extensions>true</extensions>
                 <configuration>
                     <instructions>

json-smart-action/pom.xml

@@ -3,26 +3,26 @@
 	<parent>
 		<groupId>net.minidev</groupId>
 		<artifactId>minidev-parent</artifactId>
-		<version>2.3-SNAPSHOT</version>
+		<version>2.3.1</version>
 	</parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>json-smart-action</artifactId>
-    <name>JSON Small and Fast Parser</name>
+    <name>JSON-smart-action Small and Fast Parser</name>
     <description>
         JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
     </description>
     <packaging>bundle</packaging>
-    <url>http://www.minidev.net/</url>
+    <url>https://urielch.github.io/</url>
     <organization>
         <name>Chemouni Uriel</name>
-        <url>http://www.minidev.net/</url>
+        <url>https://urielch.github.io/</url>
     </organization>
     <developers>
         <developer>
             <id>uriel</id>
             <name>Uriel Chemouni</name>
             <email>[email protected]</email>
-            <timezone>GMT-7</timezone>
+            <timezone>GMT+3</timezone>
             <roles>
             </roles>
         </developer>
@@ -43,8 +43,8 @@
     </licenses>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>1.5</maven.compiler.source>
-        <maven.compiler.target>1.5</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
     </properties>
     <dependencies>
         <dependency>
@@ -85,7 +85,9 @@
             </activation>
             <properties>
             	<!-- My old Is back -->
-                <gpg.keyname>2C8DF6EC</gpg.keyname>
+				<!-- <gpg.keyname>2C8DF6EC</gpg.keyname> -->
+				<!-- 2021 rsa4096 key-->
+				<gpg.keyname>53BE126D</gpg.keyname>
                 <!-- <gpg.keyname>8E322ED0</gpg.keyname> -->
                 <!-- <gpg.keyname>Uriel Chemouni (dev) <[email protected]></gpg.keyname> -->
                 <!-- GPG Key ID to use for signing -->
@@ -190,8 +192,8 @@
                 <version>3.3</version>
                 <configuration>
                     <encoding>UTF-8</encoding>
-                    <source>1.6</source>
-                    <target>1.6</target>
+                    <source>${maven.compiler.source}</source>
+                    <target>${maven.compiler.target}</target>
                     <excludes>
                         <exclude>**/.svn/*</exclude>
                         <exclude>**/.svn</exclude>
@@ -223,7 +225,7 @@
                 <!-- updated on 29/07/2015 -->
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
-                <version>2.10.3</version>
+                <version>2.10.4</version>
                 <!-- ONLY NEEDED With jdk 1.7+ -->
                 <configuration>
                     <failOnError>false</failOnError>
@@ -241,7 +243,7 @@
             <plugin>
                 <groupId>org.apache.felix</groupId>
                 <artifactId>maven-bundle-plugin</artifactId>
-                <version>3.0.0</version>
+                <version>3.5.1</version>
                 <extensions>true</extensions>
                 <configuration>
                     <instructions>

json-smart/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>net.minidev</groupId>
 		<artifactId>minidev-parent</artifactId>
-		<version>2.3-SNAPSHOT</version>
+		<version>2.3.1</version>
 	</parent>
 	<!-- this POM is released under an Apache 2.0 license -->
 	<modelVersion>4.0.0</modelVersion>
@@ -13,17 +13,17 @@
         JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
     </description>
 	<packaging>bundle</packaging>
-	<url>http://www.minidev.net/</url>
+	<url>https://urielch.github.io/</url>
 	<organization>
 		<name>Chemouni Uriel</name>
-		<url>http://www.minidev.net/</url>
+		<url>https://urielch.github.io/</url>
 	</organization>
 	<developers>
 		<developer>
 			<id>uriel</id>
 			<name>Uriel Chemouni</name>
 			<email>[email protected]</email>
-			<timezone>GMT-7</timezone>
+			<timezone>GMT+3</timezone>
 			<roles>
 			</roles>
 		</developer>
@@ -44,8 +44,8 @@
 	</licenses>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<maven.compiler.source>1.5</maven.compiler.source>
-		<maven.compiler.target>1.5</maven.compiler.target>
+		<maven.compiler.source>1.8</maven.compiler.source>
+		<maven.compiler.target>1.8</maven.compiler.target>
 	</properties>
 	<dependencies>
 		<dependency>
@@ -56,7 +56,7 @@
 		<dependency>
 			<groupId>net.minidev</groupId>
 			<artifactId>accessors-smart</artifactId>
-            <version>1.2-SNAPSHOT</version>
+			<version>2.3.1</version>
 		</dependency>
 	</dependencies>
 	<scm>
@@ -87,7 +87,9 @@
 			</activation>
 			<properties>
 				<!-- My old Is back -->
-				<gpg.keyname>2C8DF6EC</gpg.keyname>
+				<!-- <gpg.keyname>2C8DF6EC</gpg.keyname> -->
+				<!-- 2021 rsa4096 key-->
+				<gpg.keyname>53BE126D</gpg.keyname>
 				<!-- <gpg.keyname>8E322ED0</gpg.keyname> -->
 				<!-- <gpg.keyname>Uriel Chemouni (dev) <[email protected]></gpg.keyname> -->
 				<!-- GPG Key ID to use for signing -->
@@ -122,8 +124,10 @@
 					</plugin>
 					<!-- Publish also javadocs when releasing - required by Sonatype -->
 					<plugin>
+						<!-- updated on 17/04/2021 -->
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-javadoc-plugin</artifactId>
+						<version>3.2.0</version>
 						<executions>
 							<execution>
 								<id>attach-javadocs</id>
@@ -140,7 +144,7 @@
 					<plugin>
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-release-plugin</artifactId>
-						<version>2.5.2</version>
+						<version>2.5.3</version>
 						<configuration>
 							<mavenExecutorId>forked-path</mavenExecutorId>
 							<arguments>-Psonatype-oss-release</arguments>
@@ -172,10 +176,10 @@
 	<build>
 		<plugins>
 			<plugin>
-				<!-- updated on 29/07/2015 -->
+				<!-- updated on 17/04/2021 -->
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-source-plugin</artifactId>
-				<version>2.4</version>
+				<version>3.2.1</version>
 				<executions>
 					<execution>
 						<id>bind-sources</id>
@@ -186,34 +190,34 @@
 				</executions>
 			</plugin>
 			<plugin>
-				<!-- updated on 29/10/2015 -->
+				<!-- updated on 17/04/2021 -->
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.3</version>
+				<version>3.8.1</version>
 				<configuration>
 					<encoding>UTF-8</encoding>
-					<source>1.6</source>
-					<target>1.6</target>
+					<source>${maven.compiler.source}</source>
+					<target>${maven.compiler.target}</target>
 					<excludes>
 						<exclude>**/.svn/*</exclude>
 						<exclude>**/.svn</exclude>
 					</excludes>
 				</configuration>
 			</plugin>
 			<plugin>
-				<!-- updated on 29/10/2015 -->
+				<!-- updated on 17/04/2021 -->
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-resources-plugin</artifactId>
-				<version>2.7</version>
+				<version>3.2.0</version>
 				<configuration>
 					<encoding>UTF-8</encoding>
 				</configuration>
 			</plugin>
 			<plugin>
-				<!-- updated on 29/10/2015 -->
+				<!-- updated on 17/04/2021 -->
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-jar-plugin</artifactId>
-				<version>2.6</version>
+				<version>3.2.0</version>
 				<configuration>
 					<excludes>
 						<exclude>**/.svn/*</exclude>
@@ -222,10 +226,10 @@
 				</configuration>
 			</plugin>
 			<plugin>
-				<!-- updated on 29/07/2015 -->
+				<!-- updated on 17/04/2021 -->
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>2.10.3</version>
+				<version>3.2.0</version>
 				<!-- ONLY NEEDED With jdk 1.7+ -->
 				<configuration>
 					<failOnError>false</failOnError>
@@ -241,9 +245,10 @@
 				</executions>
 			</plugin>
 			<plugin>
+				<!-- updated on 17/04/2021 -->
 				<groupId>org.apache.felix</groupId>
 				<artifactId>maven-bundle-plugin</artifactId>
-                <version>3.3.0</version> <!-- 3.0.0 need java 7+ -->
+                <version>5.1.2</version> <!-- 3.0.0 need java 7+ -->
 				<extensions>true</extensions>
 				<configuration>
 					<instructions>

json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java

@@ -139,11 +139,15 @@ public void checkLeadinZero() throws ParseException {
 	protected Number extractFloat() throws ParseException {
 		if (!acceptLeadinZero)
 			checkLeadinZero();
-		if (!useHiPrecisionFloat)
-			return Float.parseFloat(xs);
-		if (xs.length() > 18) // follow JSonIJ parsing method
-			return new BigDecimal(xs);
-		return Double.parseDouble(xs);
+		try {
+			if (!useHiPrecisionFloat)
+				return Float.parseFloat(xs);
+			if (xs.length() > 18) // follow JSonIJ parsing method
+				return new BigDecimal(xs);
+			return Double.parseDouble(xs);
+		} catch (NumberFormatException e) {
+			throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs);
+		}
 	}
 
 	/**