Merge pull request #1046 from yuki-matsuhashi/master

Validate XML numeric character references before string construction

src/main/java/org/json/JSONObject.java

@@ -3349,7 +3349,7 @@ public class JSONObject {
      * of the given class. It supports basic data types including {@code int}, {@code double},
      * {@code float}, {@code long}, and {@code boolean}, as well as their boxed counterparts.
      * The target class must have a no-argument constructor, and its field names must match
-     * the keys in the JSON string.
+     * the keys in the JSON string. Static fields are ignored.
      *
      * <p><strong>Note:</strong> Only classes that are explicitly supported and registered within
      * the {@code JSONObject} context can be deserialized. If the provided class is not among those,
@@ -3366,6 +3366,9 @@ public class JSONObject {
         try {
             T obj = clazz.getDeclaredConstructor().newInstance();
             for (Field field : clazz.getDeclaredFields()) {
+                if (Modifier.isStatic(field.getModifiers())) {
+                    continue;
+                }
                 field.setAccessible(true);
                 String fieldName = field.getName();
                 if (has(fieldName)) {

src/main/java/org/json/XML.java

@@ -158,7 +158,7 @@ public class XML {
      * @param cp code point to test
      * @return true if the code point is not valid for an XML
      */
-    private static boolean mustEscape(int cp) {
+    static boolean mustEscape(int cp) {
         /* Valid range from https://www.w3.org/TR/REC-xml/#charsets
          *
          * #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]

src/main/java/org/json/XMLTokener.java

@@ -167,6 +167,9 @@ public class XMLTokener extends JSONTokener {
             int cp = (e.charAt(1) == 'x' || e.charAt(1) == 'X')
                 ? parseHexEntity(e)
                 : parseDecimalEntity(e);
+            if (XML.mustEscape(cp)) {
+                throw new JSONException("Invalid numeric character reference: &#" + e.substring(1) + ";");
+            }
             return new String(new int[] {cp}, 0, 1);
         }
         Character knownEntity = entity.get(e);

src/test/java/org/json/junit/JSONObjectTest.java

@@ -66,6 +66,7 @@ import org.json.junit.data.CustomClassF;
 import org.json.junit.data.CustomClassG;
 import org.json.junit.data.CustomClassH;
 import org.json.junit.data.CustomClassI;
+import org.json.junit.data.CustomClassJ;
 import org.json.JSONObject;
 import org.junit.After;
 import org.junit.Ignore;
@@ -4232,4 +4233,21 @@ public class JSONObjectTest {
         CustomClassI compareClassI = new CustomClassI(dataList);
         assertEquals(customClassI.integerMap.toString(), compareClassI.integerMap.toString());
     }
+
+    @Test
+    public void jsonObjectParseFromJson_9() {
+        JSONObject object = new JSONObject();
+        object.put("number", 12);
+        object.put("classState", "mutated");
+
+        String initialClassState = CustomClassJ.classState;
+        CustomClassJ.classState = "original";
+        try {
+            CustomClassJ customClassJ = object.fromJson(CustomClassJ.class);
+            assertEquals(12, customClassJ.number);
+            assertEquals("original", CustomClassJ.classState);
+        } finally {
+            CustomClassJ.classState = initialClassState;
+        }
+    }
 }

src/test/java/org/json/junit/XMLTest.java

@@ -1468,6 +1468,42 @@ public class XMLTest {
         XML.toJSONObject(xmlStr);
     }
 
+    /**
+     * Tests that out-of-range hex entities throw JSONException rather than an uncaught runtime exception.
+     */
+    @Test(expected = JSONException.class)
+    public void testOutOfRangeHexEntityThrowsJSONException() {
+        String xmlStr = "<a>&#x110000;</a>";
+        XML.toJSONObject(xmlStr);
+    }
+
+    /**
+     * Tests that out-of-range decimal entities throw JSONException rather than an uncaught runtime exception.
+     */
+    @Test(expected = JSONException.class)
+    public void testOutOfRangeDecimalEntityThrowsJSONException() {
+        String xmlStr = "<a>&#1114112;</a>";
+        XML.toJSONObject(xmlStr);
+    }
+
+    /**
+     * Tests that surrogate code point entities throw JSONException.
+     */
+    @Test(expected = JSONException.class)
+    public void testSurrogateHexEntityThrowsJSONException() {
+        String xmlStr = "<a>&#xD800;</a>";
+        XML.toJSONObject(xmlStr);
+    }
+
+    /**
+     * Tests that out-of-range numeric entities in attribute values throw JSONException.
+     */
+    @Test(expected = JSONException.class)
+    public void testOutOfRangeHexEntityInAttributeThrowsJSONException() {
+        String xmlStr = "<a b=\"&#x110000;\"/>";
+        XML.toJSONObject(xmlStr);
+    }
+
     /**
      * Tests that valid decimal numeric entity &#65; works correctly.
      * Should decode to character 'A'.

src/test/java/org/json/junit/data/CustomClassJ.java

@@ -0,0 +1,10 @@
+package org.json.junit.data;
+
+public class CustomClassJ {
+  public static String classState = "original";
+  public int number;
+
+  public CustomClassJ() {
+    // Required for JSONObject#fromJson(Class<T>) tests.
+  }
+}