Merge branch 'master' into dependabot/github_actions/actions/checkout…

…-4.1.5
fab1an · May 10, 2024 · 4d791df · 4d791df
2 parents 5cec5ba + b526cf3
commit 4d791df
Show file tree

Hide file tree

Showing 7 changed files with 135 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,4 +6,4 @@ secring.gpg
 *.swp
 local.properties
 TODO.txt
-
+/.cifuzz-corpus
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,3 @@
+# Reporting Security Issues
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/fab1an/kotlin-json-stream/security/advisories/new) tab.
diff --git a/build.gradle b/build.gradle
@@ -48,6 +48,11 @@ kotlin {
                 implementation kotlin("test")
             }
         }
+        jvmTest {
+            dependencies {
+                implementation "com.code-intelligence:jazzer-junit:0.22.1"
+            }
+        }
     }
 }
 

diff --git a/src/commonMain/kotlin/com/fab1an/kotlinjsonstream/JsonWriter.kt b/src/commonMain/kotlin/com/fab1an/kotlinjsonstream/JsonWriter.kt
@@ -134,12 +134,13 @@ class JsonWriter(private val sink: BufferedSink, val prettyPrint: Boolean = fals
      * Writes [value].
      */
     fun value(value: Double): JsonWriter {
+        check(!value.isInfinite() && !value.isNaN()) {"infinite or NaN numbers are not allowed in json"}
         expectValue()
-        if (value.rem(1) == 0.0) {
-            sink.writeUtf8(value.toInt().toString())
-
+        val strValue = value.toString()
+        if (strValue.endsWith(".0")) {
+            sink.writeUtf8(strValue.substring(0, strValue.lastIndex - 1))
         } else {
-            sink.writeUtf8(value.toString())
+            sink.writeUtf8(strValue)
         }
 
         return this

diff --git a/src/commonTest/kotlin/com/fab1an/kotlinjsonstream/JsonWriterTest.kt b/src/commonTest/kotlin/com/fab1an/kotlinjsonstream/JsonWriterTest.kt
@@ -2,6 +2,7 @@ package com.fab1an.kotlinjsonstream
 
 import okio.Buffer
 import kotlin.test.Test
+import kotlin.test.assertFails
 import kotlin.test.assertFailsWith
 
 class JsonWriterTest {
@@ -117,4 +118,60 @@ class JsonWriterTest {
             [1]
         """.trimIndent()
     }
+
+    @Test
+    fun writeLargeDouble() {
+        val buffer = Buffer()
+        val double = 1E10
+        JsonWriter(buffer).apply {
+            beginArray()
+            value(double)
+            endArray()
+        }
+
+       JsonReader(buffer.readUtf8()).apply {
+           beginArray()
+           nextDouble() shouldEqual double
+           endArray()
+       }
+    }
+
+    @Test
+    fun writeInvalidDoublePosInfinity() {
+        val buffer = Buffer()
+        val double = Double.POSITIVE_INFINITY
+        JsonWriter(buffer).apply {
+            beginArray()
+            assertFails {
+                value(double)
+            }
+            endArray()
+        }
+    }
+
+    @Test
+    fun writeInvalidDoubleNegInfinity() {
+        val buffer = Buffer()
+        val double = Double.NEGATIVE_INFINITY
+        JsonWriter(buffer).apply {
+            beginArray()
+            assertFails {
+                value(double)
+            }
+            endArray()
+        }
+    }
+
+    @Test
+    fun writeInvalidDoubleNan() {
+        val buffer = Buffer()
+        val double = Double.NaN
+        JsonWriter(buffer).apply {
+            beginArray()
+            assertFails {
+                value(double)
+            }
+            endArray()
+        }
+    }
 }
diff --git a/src/jvmTest/kotlin/com/fab1an/kotlinjsonstream/JsonFuzzTest.kt b/src/jvmTest/kotlin/com/fab1an/kotlinjsonstream/JsonFuzzTest.kt
@@ -0,0 +1,63 @@
+package com.fab1an.kotlinjsonstream
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider
+import com.code_intelligence.jazzer.junit.FuzzTest
+import okio.Buffer
+
+class JsonFuzzTest {
+
+    @FuzzTest
+    fun intFuzzing(data: FuzzedDataProvider) {
+        val int = data.consumeInt()
+
+        val buffer = Buffer()
+        JsonWriter(buffer).apply {
+            beginArray()
+            value(int)
+            endArray()
+        }
+
+        JsonReader(buffer.readUtf8()).apply {
+            beginArray()
+            nextInt() shouldEqual int
+            endArray()
+        }
+    }
+
+    @FuzzTest
+    fun doubleFuzzing(data: FuzzedDataProvider) {
+        val double = data.consumeDouble()
+        if (double.isNaN() || double.isInfinite()) return
+
+        val buffer = Buffer()
+        JsonWriter(buffer).apply {
+            beginArray()
+            value(double)
+            endArray()
+        }
+
+        JsonReader(buffer.readUtf8()).apply {
+            beginArray()
+            nextDouble() shouldEqual double
+            endArray()
+        }
+    }
+
+    @FuzzTest
+    fun stringFuzzing(data: FuzzedDataProvider) {
+        val text = data.consumeRemainingAsString()
+
+        val buffer = Buffer()
+        JsonWriter(buffer).apply {
+            beginArray()
+            value(text)
+            endArray()
+        }
+
+        JsonReader(buffer.readUtf8()).apply {
+            beginArray()
+            nextString() shouldEqual text
+            endArray()
+        }
+    }
+}
diff --git a/src/jvmTest/resources/com/fab1an/kotlinjsonstream/JsonFuzzTestInputs/doubleFuzzing/crash1 b/src/jvmTest/resources/com/fab1an/kotlinjsonstream/JsonFuzzTestInputs/doubleFuzzing/crash1
@@ -0,0 +1 @@
+-1.7976931348623157E308