NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitb574228

committed

Add tests for json{b}_populate_recordset() crash case.

The problem reported asCVE-2017-15098 was already resolved in HEAD bycommit37a795a, but let's add the relevant test cases anyway.Michael Paquier and Tom Lane, per a report from David Rowley.Security:CVE-2017-15098

1 parentdfc015d commitb574228Copy full SHA for b574228

File tree

4 files changed

+38

-0

lines changed

src/test/regress
- expected
  - json.out
  - jsonb.out
- sql
  - json.sql
  - jsonb.sql

4 files changed

+38

-0

lines changed

`‎src/test/regress/expected/json.out`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1857,6 +1857,19 @@ SELECT json_populate_recordset(row(1,2)::j_ordered_pair, '[{"x": 0}, {"y": 3}]')`
`1857`	`1857`
`1858`	`1858`	`SELECT json_populate_recordset(row(1,2)::j_ordered_pair, '[{"x": 1, "y": 0}]');`
`1859`	`1859`	`ERROR: value for domain j_ordered_pair violates check constraint "j_ordered_pair_check"`
	`1860`	`+-- negative cases where the wrong record type is supplied`
	`1861`	`+select * from json_populate_recordset(row(0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (a text, b text);`
	`1862`	`+ERROR: function return row and query-specified return row do not match`
	`1863`	`+DETAIL: Returned row contains 1 attribute, but query expects 2.`
	`1864`	`+select * from json_populate_recordset(row(0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (a text, b text);`
	`1865`	`+ERROR: function return row and query-specified return row do not match`
	`1866`	`+DETAIL: Returned type integer at ordinal position 1, but query expects text.`
	`1867`	`+select * from json_populate_recordset(row(0::int,0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (a text, b text);`
	`1868`	`+ERROR: function return row and query-specified return row do not match`
	`1869`	`+DETAIL: Returned row contains 3 attributes, but query expects 2.`
	`1870`	`+select * from json_populate_recordset(row(1000000000::int,50::int),'[{"b":"2"},{"a":"3"}]') q (a text, b text);`
	`1871`	`+ERROR: function return row and query-specified return row do not match`
	`1872`	`+DETAIL: Returned type integer at ordinal position 1, but query expects text.`
`1860`	`1873`	`-- test type info caching in json_populate_record()`
`1861`	`1874`	`CREATE TEMP TABLE jspoptest (js json);`
`1862`	`1875`	`INSERT INTO jspoptest`

`‎src/test/regress/expected/jsonb.out`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2539,6 +2539,19 @@ SELECT jsonb_populate_recordset(row(1,2)::jb_ordered_pair, '[{"x": 0}, {"y": 3}]`
`2539`	`2539`
`2540`	`2540`	`SELECT jsonb_populate_recordset(row(1,2)::jb_ordered_pair, '[{"x": 1, "y": 0}]');`
`2541`	`2541`	`ERROR: value for domain jb_ordered_pair violates check constraint "jb_ordered_pair_check"`
	`2542`	`+-- negative cases where the wrong record type is supplied`
	`2543`	`+select * from jsonb_populate_recordset(row(0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (a text, b text);`
	`2544`	`+ERROR: function return row and query-specified return row do not match`
	`2545`	`+DETAIL: Returned row contains 1 attribute, but query expects 2.`
	`2546`	`+select * from jsonb_populate_recordset(row(0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (a text, b text);`
	`2547`	`+ERROR: function return row and query-specified return row do not match`
	`2548`	`+DETAIL: Returned type integer at ordinal position 1, but query expects text.`
	`2549`	`+select * from jsonb_populate_recordset(row(0::int,0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (a text, b text);`
	`2550`	`+ERROR: function return row and query-specified return row do not match`
	`2551`	`+DETAIL: Returned row contains 3 attributes, but query expects 2.`
	`2552`	`+select * from jsonb_populate_recordset(row(1000000000::int,50::int),'[{"b":"2"},{"a":"3"}]') q (a text, b text);`
	`2553`	`+ERROR: function return row and query-specified return row do not match`
	`2554`	`+DETAIL: Returned type integer at ordinal position 1, but query expects text.`
`2542`	`2555`	`-- jsonb_to_record and jsonb_to_recordset`
`2543`	`2556`	`select * from jsonb_to_record('{"a":1,"b":"foo","c":"bar"}')`
`2544`	`2557`	`as x(a int, b text, d text);`

`‎src/test/regress/sql/json.sql`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -553,6 +553,12 @@ SELECT json_populate_recordset(null::j_ordered_pair, '[{"x": 0, "y": 1}]');`
`553`	`553`	`SELECT json_populate_recordset(row(1,2)::j_ordered_pair,'[{"x": 0}, {"y": 3}]');`
`554`	`554`	`SELECT json_populate_recordset(row(1,2)::j_ordered_pair,'[{"x": 1, "y": 0}]');`
`555`	`555`
	`556`	`+-- negative cases where the wrong record type is supplied`
	`557`	`+select*from json_populate_recordset(row(0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (atext, btext);`
	`558`	`+select*from json_populate_recordset(row(0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (atext, btext);`
	`559`	`+select*from json_populate_recordset(row(0::int,0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (atext, btext);`
	`560`	`+select*from json_populate_recordset(row(1000000000::int,50::int),'[{"b":"2"},{"a":"3"}]') q (atext, btext);`
	`561`	`+`
`556`	`562`	`-- test type info caching in json_populate_record()`
`557`	`563`	`CREATE TEMP TABLE jspoptest (js json);`
`558`	`564`

`‎src/test/regress/sql/jsonb.sql`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -669,6 +669,12 @@ SELECT jsonb_populate_recordset(null::jb_ordered_pair, '[{"x": 0, "y": 1}]');`
`669`	`669`	`SELECT jsonb_populate_recordset(row(1,2)::jb_ordered_pair,'[{"x": 0}, {"y": 3}]');`
`670`	`670`	`SELECT jsonb_populate_recordset(row(1,2)::jb_ordered_pair,'[{"x": 1, "y": 0}]');`
`671`	`671`
	`672`	`+-- negative cases where the wrong record type is supplied`
	`673`	`+select*from jsonb_populate_recordset(row(0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (atext, btext);`
	`674`	`+select*from jsonb_populate_recordset(row(0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (atext, btext);`
	`675`	`+select*from jsonb_populate_recordset(row(0::int,0::int,0::int),'[{"a":"1","b":"2"},{"a":"3"}]') q (atext, btext);`
	`676`	`+select*from jsonb_populate_recordset(row(1000000000::int,50::int),'[{"b":"2"},{"a":"3"}]') q (atext, btext);`
	`677`	`+`
`672`	`678`	`-- jsonb_to_record and jsonb_to_recordset`
`673`	`679`
`674`	`680`	`select*from jsonb_to_record('{"a":1,"b":"foo","c":"bar"}')`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb574228

File tree

4 files changed

4 files changed

`‎src/test/regress/expected/json.out`

`‎src/test/regress/expected/jsonb.out`

`‎src/test/regress/sql/json.sql`

`‎src/test/regress/sql/jsonb.sql`

0 commit comments