Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading json-smart to version 2.4.9 leads to Exception in karate summary #2277

Closed
AndreasBAtT opened this issue Mar 14, 2023 · 12 comments
Closed

Upgrading json-smart to version 2.4.9 leads to Exception in karate summary #2277

AndreasBAtT opened this issue Mar 14, 2023 · 12 comments
Assignees
@ptrthomas
Labels
bug fixed
Milestone
1.4.0

Comments

@AndreasBAtT
Copy link

AndreasBAtT commented Mar 14, 2023
edited
Loading

If you upgrade net.minidev.json-smart to version 2.4.9 the Karate reports will fail in some cases with an exception.
In Version 2.4.9. of json-smart max depth is hard limited to 400. Maybe this is the reason for it.

com.jayway.jsonpath.InvalidJsonException: net.minidev.json.parser.ParseException: Malicious payload, having non natural depths, parsing stoped on { at position 62015.

at com.jayway.jsonpath.spi.json.JsonSmartJsonProvider.parse(JsonSmartJsonProvider.java:64)
at com.jayway.jsonpath.internal.ParseContextImpl.parse(ParseContextImpl.java:37)
at com.jayway.jsonpath.JsonPath.parse(JsonPath.java:647)
at com.intuit.karate.Json.of(Json.java:63)
at com.intuit.karate.Suite.lambda$getFeatureResults$3(Suite.java:314)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:497)
at com.intuit.karate.Results.<init>(Results.java:72)
at com.intuit.karate.Results.of(Results.java:57)
at com.intuit.karate.Suite.buildResults(Suite.java:384)
at com.intuit.karate.Runner$Builder.parallel(Runner.java:497)
at circuitBreaker.CheckavailabilityCircuitBreakerTest.testServiceQualificationCircuitBreakerDigiOss(CheckavailabilityCircuitBreakerTest.java:89)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:727)
at org.junit.jupiter.engine.execution.MethodInvocation.proceed(MethodInvocation.java:60)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain$ValidatingInvocation.proceed(InvocationInterceptorChain.java:131)
at org.junit.jupiter.engine.extension.TimeoutExtension.intercept(TimeoutExtension.java:156)
at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestableMethod(TimeoutExtension.java:147)
at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestMethod(TimeoutExtension.java:86)
at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker$ReflectiveInterceptorCall.lambda$ofVoidMethod$0(InterceptingExecutableInvoker.java:103)
at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.lambda$invoke$0(InterceptingExecutableInvoker.java:93)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain$InterceptedInvocation.proceed(InvocationInterceptorChain.java:106)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain.proceed(InvocationInterceptorChain.java:64)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain.chainAndInvoke(InvocationInterceptorChain.java:45)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain.invoke(InvocationInterceptorChain.java:37)
at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.invoke(InterceptingExecutableInvoker.java:92)
at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.invoke(InterceptingExecutableInvoker.java:86)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$7(TestMethodTestDescriptor.java:217)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:213)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:138)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:68)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:151)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:41)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:155)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:41)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:155)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:35)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:54)
at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:147)
at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:127)
at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:90)
at org.junit.platform.launcher.core.EngineExecutionOrchestrator.lambda$execute$0(EngineExecutionOrchestrator.java:55)
at org.junit.platform.launcher.core.EngineExecutionOrchestrator.withInterceptedStreams(EngineExecutionOrchestrator.java:102)
at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:54)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:114)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:86)
at org.junit.platform.launcher.core.DefaultLauncherSession$DelegatingLauncher.execute(DefaultLauncherSession.java:86)
at org.junit.platform.launcher.core.SessionPerRequestLauncher.execute(SessionPerRequestLauncher.java:53)
at com.intellij.junit5.JUnit5IdeaTestRunner.startRunnerWithArgs(JUnit5IdeaTestRunner.java:57)
at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38)
at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11)
at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35)
at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:235)
at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:54)

Caused by: net.minidev.json.parser.ParseException: Malicious payload, having non natural depths, parsing stoped on { at position 62015.
at net.minidev.json.parser.JSONParserBase.readObject(JSONParserBase.java:557)
at net.minidev.json.parser.JSONParserBase.readMain(JSONParserBase.java:465)
at net.minidev.json.parser.JSONParserBase.readObject(JSONParserBase.java:612)
at net.minidev.json.parser.JSONParserBase.readMain(JSONParserBase.java:465)
at net.minidev.json.parser.JSONParserBase.readArray(JSONParserBase.java:335)
at net.minidev.json.parser.JSONParserBase.readMain(JSONParserBase.java:468)
at net.minidev.json.parser.JSONParserBase.readObject(JSONParserBase.java:612)
at net.minidev.json.parser.JSONParserBase.readMain(JSONParserBase.java:465)
at net.minidev.json.parser.JSONParserBase.readArray(JSONParserBase.java:335)
at net.minidev.json.parser.JSONParserBase.readMain(JSONParserBase.java:468)
at net.minidev.json.parser.JSONParserBase.readObject(JSONParserBase.java:612)
at net.minidev.json.parser.JSONParserBase.readFirst(JSONParserBase.java:363)
at net.minidev.json.parser.JSONParserBase.parse(JSONParserBase.java:216)
at net.minidev.json.parser.JSONParserString.parse(JSONParserString.java:58)
at net.minidev.json.parser.JSONParser.parse(JSONParser.java:278)
at com.jayway.jsonpath.spi.json.JsonSmartJsonProvider.parse(JsonSmartJsonProvider.java:62)
... 87 more
@ptrthomas
Copy link
Member

@AndreasBAtT tagging this as help wanted. without a way to replicate or a PR it is likely to get closed after a while

@markusadelsberger
Copy link

Hi @ptrthomas ,
we have the same issue. I tried it out with the Karate Demo Tests, when you upgrade to json-smart 2.4.9 then the DemoTestParallel will fail with the exact same exception. All I did was add the dependency directly to karate-demo/pom.xml like this:

<dependency>
  <groupId>net.minidev</groupId>
  <artifactId>json-smart</artifactId>
  <version>2.4.9</version>
</dependency>

Normally this dependency comes in the version 2.4.7 transitively via com.jayway.jsonpath:json-path:2.7.0, but in our project we use net.minidev:json-smart directly.

If you like I can fork the repo with the changes I made locally? Or is this enough to reproduce this?

KR,

Markus

@ptrthomas
Copy link
Member

@markusadelsberger thanks ! for now, I think what you have is enough to replicate. hopefully using a custom parser at that point will fix it - let me take a look

@ptrthomas ptrthomas self-assigned this Mar 15, 2023
ptrthomas added a commit that referenced this issue Mar 15, 2023
@ptrthomas
resolve json parsing issue for karate json #2277
ffa9d9e
@ptrthomas ptrthomas added this to the 1.4.0 milestone Mar 15, 2023
@ptrthomas
Copy link
Member

@markusadelsberger @AndreasBAtT I've attempted a fix, do see if you can build locally and validate: https://github.com/karatelabs/karate/wiki/Developer-Guide

@AndreasBAtT
Copy link
Author

@ptrthomas Hi, i can confirm that the fix works. Thank you.

@ptrthomas
Copy link
Member

@AndreasBAtT thanks, I'll keep this open and close when 1.4.0 final is released

@ptrthomas ptrthomas reopened this Mar 16, 2023
@AndreasBAtT
Copy link
Author

@ptrthomas With version 2.4.10. of json-smart the json parser is working again

@ptrthomas
Copy link
Member

@AndreasBAtT that's good to know, maybe we can revert the change. I'll check

@jandry
Copy link
Contributor

jandry commented Mar 22, 2023
edited
Loading

I confirm. Got same issue forcing the upgrade to 2.4.9 because of CVE-2023-1370. But 2.4.10 fixed it.
It's the only fix in their release note: https://github.com/netplex/json-smart-v2/releases/tag/2.4.10

ptrthomas added a commit that referenced this issue Mar 23, 2023
@ptrthomas
force upgrade json-smart #2277
0d8c2cf
ptrthomas added a commit that referenced this issue Mar 31, 2023
@ptrthomas
upgrade json-path #2277
02d9b03
@ptrthomas
Copy link
Member

1.4.0 released

@prajwalbandak
Copy link

Hi @ptrthomas ,, for the version 2.4.10 also, the same error is throwing com.jayway.jsonpath.InvalidJsonException: net.minidev.json.parser.ParseException: Malicious payload, having non natural depths, parsing stoped on { at position 62015.

@ptrthomas
Copy link
Member

ptrthomas commented Oct 20, 2023
edited
Loading

if you see this problem in Karate 1.4.1 then please follow this process asap: https://github.com/karatelabs/karate/wiki/How-to-Submit-an-Issue @prajwalbandak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ptrthomas ptrthomas

Labels
bug fixed
Projects
None yet
Milestone
1.4.0
Development

No branches or pull requests
5 participants
@markusadelsberger @ptrthomas @jandry @prajwalbandak @AndreasBAtT