feat: Ignore extraneous ampersands for wfu-implied-composite values

dmaccormack · dmaccormack · commit f6f29d5d0ce6 · 2020-10-26T20:44:25.000-04:00
diff --git a/module/jsonurl-core/src/main/java/org/jsonurl/JsonUrl.java b/module/jsonurl-core/src/main/java/org/jsonurl/JsonUrl.java
@@ -66,6 +66,43 @@ static final class Parse { //NOPMD - internal utility class
         private Parse() {
         }
         
+        /**
+         * Used to skip/ignore "extra" ampersands in www-form-urlencoded data.
+         * This skipping/ignoring is done in order to be compatible with
+         * existing decoders (e.g. those built into browsers and web
+         * service/application containers), which also ignore "extra"
+         * ampersands rather than inserting empty values or throwing an
+         * Error/Exception.
+         *
+         * <p>Note, this skipping/ignoring is <b>only</b> for
+         * wfu-value-separator (ampersand), <b>not</b> value-separator
+         * (comma). This is on purpose. There's no compatibility concern
+         * in the later case and it allows for the option to use a zero
+         * length string as the empty string.
+         */
+        static int skipAmps(CharSequence text, int off, int end) {
+            if (off == end || text.charAt(off) != '&') {
+                // nothing to skip
+                return off;
+            }
+
+            int pos;
+
+            for (pos = off; pos < end && text.charAt(pos) == '&'; pos++) {
+                // skip all consecutive amps
+            }
+
+            if (pos == end) {
+                // one or more amps followed by end-of-string
+                return end;
+            }
+
+            //
+            // return the position of the last amp before the next usable char
+            //
+            return pos - 1;
+        }
+        
         static NumberBuilder newNumberBuilder(
             ValueFactory<?,?,?,?,?,?,?,?,?,?> factory) {
             
diff --git a/module/jsonurl-core/src/main/java/org/jsonurl/Parser.java b/module/jsonurl-core/src/main/java/org/jsonurl/Parser.java
@@ -691,11 +691,28 @@ private <R> R parse(
         
         final boolean wwwFormUrlEncoded = this.isFormUrlEncoded();
 
+        //
+        // when I'm effectively a replacement for
+        // ServletRequest.getParameterValues() or similar then I need to
+        // accept and skip extra ampersands.
+        //
+        final boolean skipExtraAmps = wwwFormUrlEncoded
+                && (impliedArray || impliedObject);
+
         int parseDepth = 1;
         int parseValueCount = 0;
 
+        if (skipExtraAmps) {
+            //
+            // ignore random amps at the beginning of the string
+            //
+            while (pos < stop && text.charAt(pos) == WFU_VALUE_SEPARATOR) {
+                pos++;
+            }
+        }
+
         for (;;) {
-            if (pos == stop) {
+            if (stop <= pos) {
                 throw new SyntaxException(MSG_STILL_OPEN, pos);
             }
 
@@ -781,15 +798,21 @@ private <R> R parse(
                     stateStack.pop();
                     result.setLocation(pos).addEmptyComposite();
 
-                    if (pos == stop && parseDepth == 1) {
-                        if (impliedArray) {
-                            return result.addArrayElement().endArray().getResult();
-                        }
-                        if (impliedObject) {
-                            return result.addObjectElement().endObject().getResult();
+                    if (parseDepth == 1) { // NOPMD - AvoidLiteralsInIfCondition
+                        if (skipExtraAmps) {
+                            pos = JsonUrl.Parse.skipAmps(text, pos, stop);
                         }
 
-                        throw new SyntaxException(MSG_STILL_OPEN, pos);
+                        if (pos == stop) {
+                            if (impliedArray) {
+                                return result.addArrayElement().endArray().getResult();
+                            }
+                            if (impliedObject) {
+                                return result.addObjectElement().endObject().getResult();
+                            }
+
+                            throw new SyntaxException(MSG_STILL_OPEN, pos);
+                        }    
                     }
 
                     continue;
@@ -814,6 +837,8 @@ private <R> R parse(
 
                 pos += litlen;
 
+                int litend = pos; // NOPMD = capture literal end position
+
                 if (pos == stop) {
                     throw new SyntaxException(MSG_STILL_OPEN, pos);
                 }
@@ -825,6 +850,10 @@ private <R> R parse(
                     if (!wwwFormUrlEncoded || parseDepth != 1) {
                         throw new SyntaxException(MSG_BAD_CHAR, pos);
                     }
+                    //
+                    // not calling JsonUrl.Parse.skipAmps here because I
+                    // can't find a use case where it is needed
+                    //
                     // fall through
                 case VALUE_SEPARATOR:
                     //
@@ -852,7 +881,7 @@ private <R> R parse(
                     result
                         .setLocation(litpos)
                         .beginArray()
-                        .addLiteral(text, litpos, pos);
+                        .addLiteral(text, litpos, litend);
 
                     continue;
 
@@ -887,6 +916,9 @@ private <R> R parse(
                         throw new SyntaxException(MSG_EXTRA_CHARS, pos);
 
                     case 1:
+                        if (skipExtraAmps) {
+                            pos = JsonUrl.Parse.skipAmps(text, pos, stop);
+                        }
                         if (pos == stop) {
                             if (impliedArray) {
                                 return result
@@ -976,6 +1008,10 @@ private <R> R parse(
                     .setLocation(litpos)
                     .addLiteral(text, litpos, pos);
 
+                if (skipExtraAmps && parseDepth == 1) {
+                    pos = JsonUrl.Parse.skipAmps(text, pos, stop);
+                }
+
                 if (pos == stop) {
                     if (parseDepth == 1 && impliedArray) {
                         return result.addArrayElement().endArray().getResult();
@@ -993,6 +1029,11 @@ private <R> R parse(
                     if (!wwwFormUrlEncoded || parseDepth != 1) {
                         throw new SyntaxException(MSG_BAD_CHAR, pos);
                     }
+                    //
+                    // not calling JsonUrl.Parse.skipAmps here because I
+                    // can't find a use case where it is needed
+                    //
+
                     // fall through
                 case VALUE_SEPARATOR:
                     stateStack.set(0, State.IN_ARRAY);
@@ -1013,6 +1054,9 @@ private <R> R parse(
                         throw new SyntaxException(MSG_EXTRA_CHARS, pos);
 
                     case 1:
+                        if (skipExtraAmps) {
+                            pos = JsonUrl.Parse.skipAmps(text, pos, stop);
+                        }
                         if (pos == stop) {
                             if (impliedArray) {
                                 return result.addArrayElement().endArray().getResult();
@@ -1066,7 +1110,11 @@ private <R> R parse(
                 result
                     .setLocation(litpos)
                     .addLiteral(text, litpos, pos);
-                
+
+                if (skipExtraAmps && parseDepth == 1) {
+                    pos = JsonUrl.Parse.skipAmps(text, pos, stop);
+                }
+
                 if (pos == stop) {
                     if (parseDepth == 1 && impliedObject) {
                         return result.addObjectElement().endObject().getResult();    
@@ -1105,6 +1153,9 @@ private <R> R parse(
                         throw new SyntaxException(MSG_EXTRA_CHARS, pos);
 
                     case 1:
+                        if (skipExtraAmps) {
+                            pos = JsonUrl.Parse.skipAmps(text, pos, stop);
+                        }
                         if (pos == stop) {
                             if (impliedArray) {
                                 return result.addArrayElement().endArray().getResult();
@@ -1131,6 +1182,11 @@ private <R> R parse(
                 litpos = pos;
                 litlen = parseLiteralLength(text, pos, stop, MSG_STILL_OPEN);
                 pos += litlen;
+                litend = pos;
+
+                if (skipExtraAmps && parseDepth == 1) {
+                    pos = JsonUrl.Parse.skipAmps(text, pos, stop);
+                }
 
                 if (pos == stop) {
                     if (impliedObject && parseDepth == 1) {
@@ -1139,7 +1195,7 @@ private <R> R parse(
                             .addMissingValue(
                                     text,
                                     litpos,
-                                    pos)
+                                    litend)
                             .addObjectElement()
                             .endObject()
                             .getResult();
@@ -1174,7 +1230,7 @@ private <R> R parse(
                             .addMissingValue(
                                     text,
                                     litpos,
-                                    pos);
+                                    litend);
 
                         stateStack.set(0, State.OBJECT_AFTER_ELEMENT);
                         continue;
@@ -1188,7 +1244,7 @@ private <R> R parse(
 
                 result
                     .setLocation(litpos)
-                    .addObjectKey(text, litpos, pos);
+                    .addObjectKey(text, litpos, litend);
 
                 pos++;
                 continue;
diff --git a/module/jsonurl-core/src/test/java/org/jsonurl/AbstractParseTest.java b/module/jsonurl-core/src/test/java/org/jsonurl/AbstractParseTest.java
@@ -1400,6 +1400,50 @@ void testObjectWfu(String text) {
                     factory.newObjectBuilder()));
         }
 
+        @ParameterizedTest
+        @Tag(TAG_PARSE)
+        @Tag(TAG_OBJECT)
+        @ValueSource(strings = {
+            "a=b&&c:d",
+            "a=b&c=d&",
+            "a=b&c=d&&",
+            "a=b&&c=d",
+            "a&&c=d",
+            "a=b&&c",
+            "a=b&&c&",
+            "&a=b&c=d",
+            "a=b&&c:d&&e:f",
+        })
+        void testObjectWfuExtraAmps(String text) {
+            Parser p = new Parser();
+            
+            assertThrows(
+                SyntaxException.class,
+                () -> p.parseObject(
+                    text,
+                    factory,
+                    factory.newObjectBuilder()),
+                text);
+
+            p.setFormUrlEncoded(true);
+
+            assertTrue(p.isFormUrlEncoded(), text);
+
+            assertObjectWfu(
+                text,
+                p.parseObject(
+                    text,
+                    factory,
+                    factory.newObjectBuilder(),
+                    (key, pos) -> {
+                        switch (key) {
+                        case "a": return factory.getString("b");
+                        case "c": return factory.getString("d");
+                        default: return null;
+                        }
+                    }));
+        }
+
         private void assertArrayWfu(String text, A actual) {
             assertEquals(
                 factory.getString("a"),
@@ -1445,6 +1489,49 @@ void testArrayWfu(String text) {
                     factory.newArrayBuilder()));
         }
 
+        @ParameterizedTest
+        @Tag(TAG_PARSE)
+        @Tag(TAG_ARRAY)
+        @ValueSource(strings = {
+            "&a",
+            "a&",
+            "&a&",
+            "a&&b",
+            "&a&b",
+            "&a&b&",
+            "a&b&",
+            "a&b&&c&d",
+            "a&b&c&&d",
+            "a&&false&&1.234&&null&&()&&(1)&&(1,2,3)&&(a:d,b:a)&&",
+            "a&true&",
+            "a&()&",
+            "a&(1)&",
+            "a&(1,2)&",
+            "a&(a:b)&",
+        })
+        void testArrayWfuExtraAmps(String text) {
+            Parser p = new Parser();
+
+            assertThrows(
+                SyntaxException.class,
+                () -> p.parseArray(
+                    text,
+                    factory,
+                    factory.newArrayBuilder()),
+                text);
+
+            p.setFormUrlEncoded(true);
+
+            assertTrue(p.isFormUrlEncoded(), text);
+
+            assertArrayWfu(
+                text,
+                p.parseArray(
+                    text,
+                    factory,
+                    factory.newArrayBuilder()));
+        }
+
         @ParameterizedTest
         @Tag(TAG_PARSE)
         @Tag(TAG_ARRAY)
diff --git a/module/jsonurl-core/src/test/java/org/jsonurl/JsonUrlOptionsTest.java b/module/jsonurl-core/src/test/java/org/jsonurl/JsonUrlOptionsTest.java
@@ -135,4 +135,22 @@ public boolean isSkipNulls() {
         assertTrue(options.isSkipNulls(), test);
     }
 
+    @Test
+    void testFormUrlEncoded() {
+        String test = "FormUrlEncoded";
+
+        assertFalse(JsonUrlOptions.isFormUrlEncoded(null), test);
+        assertFalse(new JsonUrlOptions() {}.isFormUrlEncoded(), test);
+
+        JsonUrlOptions options = new JsonUrlOptions() {
+            @Override
+            public boolean isFormUrlEncoded() {
+                return true;
+            }
+        };
+
+        assertTrue(JsonUrlOptions.isFormUrlEncoded(options), test);
+        assertTrue(options.isFormUrlEncoded(), test);
+    }
+
 }
