Merge pull request #655 from gocsaf/json-eof

Make json parsing more strict

csaf/advisory.go

@@ -14,6 +14,8 @@ import (
 	"fmt"
 	"io"
 	"os"
+
+	"github.com/gocsaf/csaf/v3/internal/misc"
 )
 
 // Acknowledgement reflects the 'acknowledgement' object in the list of acknowledgements.
@@ -383,7 +385,6 @@ type Relationship struct {
 	FullProductName           *FullProductName      `json:"full_product_name"`            // required
 	ProductReference          *ProductID            `json:"product_reference"`            // required
 	RelatesToProductReference *ProductID            `json:"relates_to_product_reference"` // required
-
 }
 
 // Relationships is a list of Relationship.
@@ -1391,7 +1392,7 @@ func LoadAdvisory(fname string) (*Advisory, error) {
 	}
 	defer f.Close()
 	var advisory Advisory
-	if err := json.NewDecoder(f).Decode(&advisory); err != nil {
+	if err := misc.StrictJSONParse(f, &advisory); err != nil {
 		return nil, err
 	}
 	if err := advisory.Validate(); err != nil {

csaf/advisory_test.go

@@ -0,0 +1,45 @@
+package csaf
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestLoadAdvisory(t *testing.T) {
+	type args struct {
+		jsonDir string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{{
+		name:    "Valid documents",
+		args:    args{jsonDir: "csaf-documents/valid"},
+		wantErr: false,
+	},
+		{
+			name:    "Garbage trailing data",
+			args:    args{jsonDir: "csaf-documents/trailing-garbage-data"},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := filepath.Walk("../testdata/"+tt.args.jsonDir, func(path string, info os.FileInfo, err error) error {
+				if err != nil {
+					return err
+				}
+				if info.Mode().IsRegular() && filepath.Ext(info.Name()) == ".json" {
+					if _, err := LoadAdvisory(path); (err != nil) != tt.wantErr {
+						t.Errorf("LoadAdvisory() error = %v, wantErr %v", err, tt.wantErr)
+					}
+				}
+				return nil
+			}); err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
+}

csaf/generate_cvss_enums.go

@@ -12,7 +12,6 @@ package main
 
 import (
 	"bytes"
-	"encoding/json"
 	"flag"
 	"fmt"
 	"go/format"
@@ -22,6 +21,8 @@ import (
 	"sort"
 	"strings"
 	"text/template"
+
+	"github.com/gocsaf/csaf/v3/internal/misc"
 )
 
 // We from Intevation consider the source code parts in the following
@@ -98,7 +99,7 @@ func loadSchema(filename string) (*schema, error) {
 	}
 	defer f.Close()
 	var s schema
-	if err := json.NewDecoder(f).Decode(&s); err != nil {
+	if err := misc.StrictJSONParse(f, &s); err != nil {
 		return nil, err
 	}
 	return &s, nil

csaf/models.go

@@ -17,6 +17,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/gocsaf/csaf/v3/internal/misc"
 	"github.com/gocsaf/csaf/v3/util"
 )
 
@@ -575,7 +576,6 @@ func (d *Distribution) Validate() error {
 // Validate checks if the provider metadata is valid.
 // Returns an error if the validation fails otherwise nil.
 func (pmd *ProviderMetadata) Validate() error {
-
 	switch {
 	case pmd.CanonicalURL == nil:
 		return errors.New("canonical_url is mandatory")
@@ -695,8 +695,7 @@ func (pmd *ProviderMetadata) WriteTo(w io.Writer) (int64, error) {
 func LoadProviderMetadata(r io.Reader) (*ProviderMetadata, error) {
 
 	var pmd ProviderMetadata
-	dec := json.NewDecoder(r)
-	if err := dec.Decode(&pmd); err != nil {
+	if err := misc.StrictJSONParse(r, &pmd); err != nil {
 		return nil, err
 	}
 

csaf/providermetaloader.go

@@ -11,13 +11,13 @@ package csaf
 import (
 	"bytes"
 	"crypto/sha256"
-	"encoding/json"
 	"fmt"
 	"io"
 	"log/slog"
 	"net/http"
 	"strings"
 
+	"github.com/gocsaf/csaf/v3/internal/misc"
 	"github.com/gocsaf/csaf/v3/util"
 )
 
@@ -33,7 +33,7 @@ type ProviderMetadataLoader struct {
 type ProviderMetadataLoadMessageType int
 
 const (
-	//JSONDecodingFailed indicates problems with JSON decoding
+	// JSONDecodingFailed indicates problems with JSON decoding
 	JSONDecodingFailed ProviderMetadataLoadMessageType = iota
 	// SchemaValidationFailed indicates a general problem with schema validation.
 	SchemaValidationFailed
@@ -149,7 +149,6 @@ func (pmdl *ProviderMetadataLoader) Enumerate(domain string) []*LoadedProviderMe
 	}
 	dnsURL := "https://csaf.data.security." + domain
 	return []*LoadedProviderMetadata{pmdl.loadFromURL(dnsURL)}
-
 }
 
 // Load loads one valid provider metadata for a given path.
@@ -323,7 +322,7 @@ func (pmdl *ProviderMetadataLoader) loadFromURL(path string) *LoadedProviderMeta
 
 	var doc any
 
-	if err := json.NewDecoder(tee).Decode(&doc); err != nil {
+	if err := misc.StrictJSONParse(tee, &doc); err != nil {
 		result.Messages.Add(
 			JSONDecodingFailed,
 			fmt.Sprintf("JSON decoding failed: %v", err))

csaf/remotevalidation.go

@@ -18,6 +18,7 @@ import (
 	"net/http"
 	"sync"
 
+	"github.com/gocsaf/csaf/v3/internal/misc"
 	bolt "go.etcd.io/bbolt"
 )
 
@@ -180,7 +181,6 @@ func prepareCache(config string) (cache, error) {
 			return create()
 		}
 		return nil
-
 	}); err != nil {
 		db.Close()
 		return nil, err
@@ -256,7 +256,7 @@ func deserialize(value []byte) (*RemoteValidationResult, error) {
 	}
 	defer r.Close()
 	var rvr RemoteValidationResult
-	if err := json.NewDecoder(r).Decode(&rvr); err != nil {
+	if err := misc.StrictJSONParse(r, &rvr); err != nil {
 		return nil, err
 	}
 	return &rvr, nil
@@ -323,7 +323,7 @@ func (v *remoteValidator) Validate(doc any) (*RemoteValidationResult, error) {
 			// no cache -> process directly.
 			in = resp.Body
 		}
-		return json.NewDecoder(in).Decode(&rvr)
+		return misc.StrictJSONParse(in, &rvr)
 	}(); err != nil {
 		return nil, err
 	}

csaf/rolie.go

@@ -14,6 +14,7 @@ import (
 	"sort"
 	"time"
 
+	"github.com/gocsaf/csaf/v3/internal/misc"
 	"github.com/gocsaf/csaf/v3/util"
 )
 
@@ -54,7 +55,7 @@ type ROLIEServiceDocument struct {
 // LoadROLIEServiceDocument loads a ROLIE service document from a reader.
 func LoadROLIEServiceDocument(r io.Reader) (*ROLIEServiceDocument, error) {
 	var rsd ROLIEServiceDocument
-	if err := json.NewDecoder(r).Decode(&rsd); err != nil {
+	if err := misc.StrictJSONParse(r, &rsd); err != nil {
 		return nil, err
 	}
 	return &rsd, nil
@@ -122,7 +123,7 @@ func (rcd *ROLIECategoryDocument) Merge(categories ...string) bool {
 // LoadROLIECategoryDocument loads a ROLIE category document from a reader.
 func LoadROLIECategoryDocument(r io.Reader) (*ROLIECategoryDocument, error) {
 	var rcd ROLIECategoryDocument
-	if err := json.NewDecoder(r).Decode(&rcd); err != nil {
+	if err := misc.StrictJSONParse(r, &rcd); err != nil {
 		return nil, err
 	}
 	return &rcd, nil
@@ -195,9 +196,8 @@ type ROLIEFeed struct {
 
 // LoadROLIEFeed loads a ROLIE feed from a reader.
 func LoadROLIEFeed(r io.Reader) (*ROLIEFeed, error) {
-	dec := json.NewDecoder(r)
 	var rf ROLIEFeed
-	if err := dec.Decode(&rf); err != nil {
+	if err := misc.StrictJSONParse(r, &rf); err != nil {
 		return nil, err
 	}
 	return &rf, nil