buger/jsonparser

[dbemiller]

• Where is the project currently hosted?

https://github.com/buger/jsonparser

• Is the project written only in Go, or does it contain other languages (beyond scripts)?

Go only

• Has the project had any recent activity?

Last commit: March 18... but the activity has been sparse since July 2017.

• Does the project have a maintainer, or a maintainer looking for someone to take
  over the project?

https://github.com/buger (I assume)

• Do you have any example projects that make use of this package?

https://godoc.org/github.com/buger/jsonparser?importers

• Are there any outstanding critical bugs that result in the library being
  totally unusable or insecure?

It depends on your use case... but these are critical if you use the library to parse untrusted JSON and rely on it to return errors:

• panic: runtime error: index out of range buger/jsonparser#127
• EachKey panics on invalid JSON payload buger/jsonparser#121

[afiune]

FYI: Issue buger/jsonparser#127 has been solved!

[theckman]

@dbemiller Thankfully seems like the author is still around/merging some things, albeit not many of them. How were you thinking we should look to help with this project?

[hchagen]

Both buger/jsonparser#127 and buger/jsonparser#121 were fixed by my latest PR, merged to master 5 days ago :)

[dbemiller]

@theckman I think we can close this. At the time I opened this issue, buger/jsonparser#127 had been open for 9 months, and @hchagen's PR fixing it had been open for 1 month, without any comments from the owner.

I had made a fork for our own project with those fixes merged in, but reached out here in hopes of starting a more community-driven fork.

These have been fixed, though, and I don't know of any other critical bugs in the library... so I think we should be ok now.

[adamdecaf]

I'm in favor of closing this as after a quick glance over the open issues nothing popped out to me as critical.

This project is being used by a fair number of projects, but since there's an active fork all we'd do is take control of that? Do we need to?

[adamdecaf]

I ran into github.com/zimmski/fuzzer, which has a super simple fuzzing test. I adapted it and am running over this project. I'm going to run go-fuzz over this project too.

fuzz example

package json

import (
	"fmt"
	"math/rand"
	"os"
	"testing"
	"time"

	"github.com/buger/jsonparser"
	"github.com/zimmski/tavor/fuzz/strategy"
	"github.com/zimmski/tavor/parser"
)

func TestJson(t *testing.T) {
	file, err := os.Open("./../../json-rfc7159.minimal.tavor")
	if err != nil {
		panic(fmt.Sprintf("cannot open tavor file %s: %v", os.Args[1], err))
	}
	defer func() {
		if err := file.Close(); err != nil {
			panic(err)
		}
	}()

	doc, err := parser.ParseTavor(file)
	if err != nil {
		panic(fmt.Sprintf("cannot parse tavor file: %v", err))
	}

	r := rand.New(rand.NewSource(time.Now().UTC().UnixNano()))
	ch, err := strategy.NewAlmostAllPermutations(doc, r)
	if err != nil {
		panic(err)
	}

	for i := range ch {
		bs := []byte(doc.String())

		jsonparser.Get(bs, "foo")
		jsonparser.GetInt(bs, "num")
		jsonparser.ArrayEach(bs, func(_ []byte, _ jsonparser.ValueType, _ int, _ error) {
			return
		}, "thing")

		ch <- i
	}
}

[theckman]

👍 on closing this at this time. Nothing prevents us from opening a new issue in the future if we want to reconsider this project.