GODRIVER-1513 Disallow escaped single quotes in extjson keys (#342)

Author: Divjot Arora

bson/bsonrw/json_scanner.go

@@ -183,7 +183,7 @@ func (js *jsonScanner) scanString() (*jsonToken, error) {
 		case '\\':
 			c, err = js.readNextByte()
 			switch c {
-			case '"', '\\', '/', '\'':
+			case '"', '\\', '/':
 				b.WriteByte(c)
 			case 'b':
 				b.WriteByte('\b')

bson/bsonrw/json_scanner_test.go

@@ -97,8 +97,8 @@ func TestJsonScannerValidInputs(t *testing.T) {
 		},
 		{
 			desc:   "valid string--escaped characters",
-			input:  `"\"\\\'\/\b\f\n\r\t"`,
-			tokens: []jsonToken{{t: jttString, v: "\"\\'/\b\f\n\r\t"}},
+			input:  `"\"\\\/\b\f\n\r\t"`,
+			tokens: []jsonToken{{t: jttString, v: "\"\\/\b\f\n\r\t"}},
 		},
 		{
 			desc: "valid literal--true", input: "true",
@@ -275,32 +275,34 @@ func TestJsonScannerValidInputs(t *testing.T) {
 	}
 
 	for _, tc := range cases {
-		js := &jsonScanner{r: strings.NewReader(tc.input)}
+		t.Run(tc.desc, func(t *testing.T) {
+			js := &jsonScanner{r: strings.NewReader(tc.input)}
 
-		for _, token := range tc.tokens {
-			c, err := js.nextToken()
-			jttDiff(t, token.t, c.t, tc.desc)
-			jtvDiff(t, token.v, c.v, tc.desc)
-			expectNoError(t, err, tc.desc)
-		}
+			for _, token := range tc.tokens {
+				c, err := js.nextToken()
+				jttDiff(t, token.t, c.t, tc.desc)
+				jtvDiff(t, token.v, c.v, tc.desc)
+				expectNoError(t, err, tc.desc)
+			}
 
-		c, err := js.nextToken()
-		jttDiff(t, jttEOF, c.t, tc.desc)
-		noerr(t, err)
+			c, err := js.nextToken()
+			jttDiff(t, jttEOF, c.t, tc.desc)
+			noerr(t, err)
 
-		// testing early EOF reading
-		js = &jsonScanner{r: iotest.DataErrReader(strings.NewReader(tc.input))}
+			// testing early EOF reading
+			js = &jsonScanner{r: iotest.DataErrReader(strings.NewReader(tc.input))}
 
-		for _, token := range tc.tokens {
-			c, err := js.nextToken()
-			jttDiff(t, token.t, c.t, tc.desc)
-			jtvDiff(t, token.v, c.v, tc.desc)
-			expectNoError(t, err, tc.desc)
-		}
+			for _, token := range tc.tokens {
+				c, err := js.nextToken()
+				jttDiff(t, token.t, c.t, tc.desc)
+				jtvDiff(t, token.v, c.v, tc.desc)
+				expectNoError(t, err, tc.desc)
+			}
 
-		c, err = js.nextToken()
-		jttDiff(t, jttEOF, c.t, tc.desc)
-		noerr(t, err)
+			c, err = js.nextToken()
+			jttDiff(t, jttEOF, c.t, tc.desc)
+			noerr(t, err)
+		})
 	}
 }
 
@@ -309,6 +311,7 @@ func TestJsonScannerInvalidInputs(t *testing.T) {
 		{desc: "missing quotation", input: `"missing`},
 		{desc: "invalid escape character--first character", input: `"\invalid"`},
 		{desc: "invalid escape character--middle", input: `"i\nv\alid"`},
+		{desc: "invalid escape character--single quote", input: `"f\'oo"`},
 		{desc: "invalid literal--trueee", input: "trueee"},
 		{desc: "invalid literal--tire", input: "tire"},
 		{desc: "invalid literal--nulll", input: "nulll"},
@@ -337,10 +340,12 @@ func TestJsonScannerInvalidInputs(t *testing.T) {
 	}
 
 	for _, tc := range cases {
-		js := &jsonScanner{r: strings.NewReader(tc.input)}
+		t.Run(tc.desc, func(t *testing.T) {
+			js := &jsonScanner{r: strings.NewReader(tc.input)}
 
-		c, err := js.nextToken()
-		expectNilToken(t, c, tc.desc)
-		expectError(t, err, tc.desc)
+			c, err := js.nextToken()
+			expectNilToken(t, c, tc.desc)
+			expectError(t, err, tc.desc)
+		})
 	}
 }

bson/extjson_prose_test.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"testing"
 
+	"go.mongodb.org/mongo-driver/bson/bsonrw"
 	"go.mongodb.org/mongo-driver/internal/testutil/assert"
 )
 
@@ -28,6 +29,7 @@ func TestExtJSON(t *testing.T) {
 		{"timestamp - negative int64 value", `{"":{"$timestamp":{"t":0,"i":-2147483649}}}`, false, timestampNegativeInt64Err},
 		{"timestamp - value overflows uint32", `{"":{"$timestamp":{"t":0,"i":4294967296}}}`, false, timestampLargeValueErr},
 		{"top level key is not treated as special", `{"$code": "foo"}`, false, nil},
+		{"escaped signle quote errors", `{"f\'oo": "bar"}`, false, bsonrw.ErrInvalidJSON},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {