#2 Infinite loop in JSONReader

Mirko Nasato

stringtree-json 2.0.9

Something as simple as

public void test() {
String line = "{ a: 1 }";
JSONReader reader = new JSONReader();
Object object = reader.read(line);

seems to get stuck in an infinite loop.

Using JSONValidatingReader insted of JSONReader gives:

expected string at column 3
{ a: 1 }
^expected value at column 1
{ a: 1 }

After further investigation stringtree-json only seems to work with "{ \"a\": 1 }", not with "{ a: 1 }" nor with "{ 'a': 1 }".

In any case the fact that it enters an infinite loop is very bad.

Switching back to the good old library at http://www.json.org/java/


  • Frank Carver
    Frank Carver

    • status: open --> closed
  • Frank Carver
    Frank Carver

    Logged In: YES
    Originator: NO

    I'm sorry if JSONReader is not to your taste.

    The Stringtree JSONReader does not attempt any error detection or correction. It was an important goal of JSONReader to be as fast and lean as possible when presented with valid JSON input. Extra code to recognize and deal with even a reasonable range of possible error cases would dramatically bloat and slow down the code. This would penalise all users, even those who never supply any invalid input.

    In my experience, the great majority of JSON is mechanically generated, and thus unlikely to include these sorts of error.

    I understand that an infinite loop is a poor response from the software, but the solution is to ensure that your JSON is valid before attempting to parse it. If you have a source of JSON which might produce invalid JSON, then the solution is to use the JSONValidatingReader, which gave a correct identification of the problem in this case.

    Your comment that JSONReader requires {"a":1} is correct. That is the format required by the JSON specification at json.org. A JSON "object" starts with {, ends with }, and contains a comma-separated sequence of "name" : value pairs. names without quotes, or names surrounded in apostrophes are not valid.

    With all that in mind, I am closing this bug.

  • Mirko Nasato
    Mirko Nasato

    Logged In: YES
    Originator: YES

    Fair enough, thanks for clarifying that this behaviour is by design. I know JSON only specifies double quotes for object key names, although the other two forms are valid in JavaScript.

    Maybe you could at least warn your users that using the non-validating JSONReader on a public service will expose to a risk of denial of service, triggered by simply passing an invalid JSON string.