Merge pull request #11304 from grails/issue-11271

graemerocher · web-flow · commit 206b582c50ce · 2019-04-30T16:18:15.000+02:00
issue-11271
diff --git a/grails-web-common/src/main/groovy/org/grails/web/json/JSONTokener.java b/grails-web-common/src/main/groovy/org/grails/web/json/JSONTokener.java
@@ -467,7 +467,8 @@ public void skipPast(String to) {
      * @return A JSONException object, suitable for throwing
      */
     public JSONException syntaxError(String message) {
-        return new JSONException(message + toString());
+
+        return new JSONException(message + toRegexSafeString());
     }
 
 
@@ -480,4 +481,26 @@ public JSONException syntaxError(String message) {
     public String toString() {
         return " at character " + this.myIndex + " of " + this.mySource;
     }
+
+    /**
+     * Make a regex safe printable string of this JSONTokener.
+     *
+     * @return " at character [this.myIndex] of [this.mySource]"
+     */
+    public String toRegexSafeString() {
+        int endIndex = mySource.length();
+        boolean appendDots = false;
+        if (endIndex > 20) {
+            // only show first 20 characters of source to prevent reDOS attacks, especially in Java 8 regexp engine
+            // see https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS for more info
+            endIndex = 19;
+            appendDots = true;
+        }
+        StringBuffer output = new StringBuffer(" at character " + this.myIndex + " of " + this.mySource.substring(0, endIndex));
+        if (appendDots) {
+            output.append("...");
+        }
+        return Matcher.quoteReplacement(output.toString());
+    }
+
 }
