Skip to content

Fix #1009, reject empty array reference token in decode_array_index_from_pointer#1032

Open
dalisyron wants to merge 1 commit into
DaveGamble:masterfrom
dalisyron:fix-empty-array-pointer-token
Open

Fix #1009, reject empty array reference token in decode_array_index_from_pointer#1032
dalisyron wants to merge 1 commit into
DaveGamble:masterfrom
dalisyron:fix-empty-array-pointer-token

Conversation

@dalisyron

@dalisyron dalisyron commented Jun 8, 2026

Copy link
Copy Markdown

Problem

decode_array_index_from_pointer() accepts an empty reference token and decodes it as index 0, which is not valid per RFC 6901, section 4: when the referenced value is an array, the token must be either a non-negative integer without leading zeroes or -. An empty string is not a valid array index.

Because get_item_from_pointer() (and the JSON Patch code) call this whenever the current value is an array, invalid pointers containing an empty array token silently resolve to the first element:

cJSONUtils_GetPointer(array,  "/");   /* returned array[0],     should be NULL */
cJSONUtils_GetPointer(nested, "/0/"); /* returned nested[0][0], should be NULL */

The same empty token also made JSON Patch operate on array[0] for paths that are not valid array locations, although RFC 6902 requires such operations to fail:

[{ "op": "remove",  "path": "/" }]                 // removed the first element
[{ "op": "replace", "path": "/", "value": "x" }]   // replaced the first element
[{ "op": "move",    "from": "/", "path": "/1" }]   // detached the first element

Fix

Reject an empty reference token (first character '\0' or '/') at the top of decode_array_index_from_pointer(), before the index is parsed. It is a cheap, local guard, consistent with the existing leading-zero check just below it.

This only affects array index decoding. The valid empty-string object key (e.g. "/" applied to an object, or a trailing slash on a nested object) is intentionally left untouched, because that path never goes through array index decoding — the existing old_utils_tests.c and tests.json cases for it still pass.

Verification

  • Added a regression test json_pointer_should_reject_empty_array_index in tests/old_utils_tests.c, next to the existing JSON Pointer tests, plus two JSON Patch cases in tests/json-patch-tests/cjson-utils-tests.json (remove/replace with path "/" on an array must fail). All of them fail before this change and pass after it.
  • Full test suite passes under GCC and Clang with -DENABLE_CJSON_UTILS=ON -DENABLE_SANITIZERS=ON (22/22, ASan/UBSan clean).
  • cJSON_Utils.c compiles cleanly under the strict warning set (-Werror -Wconversion -Wc++-compat -pedantic -std=c89).

Fixes #1009

@dalisyron
Fix DaveGamble#1009, reject empty array reference token in decode_arr…
02fcc4e 
…ay_index_from_pointer

An empty reference token (the path "/" applied to an array, or a
trailing/empty token such as "/0/") was accepted by
decode_array_index_from_pointer() and decoded as index 0, contrary to
RFC 6901. Invalid JSON Pointers could therefore resolve to the first
array element, so cJSONUtils_GetPointer() and the JSON Patch
add/remove/replace/move/copy/test operations could read or modify
array[0] for a path that is not a valid array location.

Reject an empty reference token (leading '\0' or '/') before parsing the
index. The valid empty-string object key (e.g. "/" on an object) is
unaffected, since that path does not go through array index decoding.

Add regression tests for cJSONUtils_GetPointer and JSON Patch.
@dalisyron dalisyron force-pushed the fix-empty-array-pointer-token branch from ff09035 to 02fcc4e Compare June 8, 2026 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Empty array reference token is incorrectly accepted as index 0 in JSON Pointer evaluation

1 participant

@dalisyron