json: fix json schema version verification

author Fernando Fernandez Mancera <ffmancera@riseup.net>

Fri, 2 Sep 2022 13:35:06 +0000 (15:35 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Sat, 3 Sep 2022 14:04:26 +0000 (16:04 +0200)
author Fernando Fernandez Mancera <ffmancera@riseup.net>
Fri, 2 Sep 2022 13:35:06 +0000 (15:35 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Sat, 3 Sep 2022 14:04:26 +0000 (16:04 +0200)
diff --git a/src/parser_json.c b/src/parser_json.c

index 7180474e76454da658619c1328c8217f7d08b245..46dca9fd0de0bbc940a29eb30aa6a45d19c6557b 100644 (file)
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3862,13 +3862,14 @@ static int json_verify_metainfo(struct json_ctx *ctx, json_t *root)
  {
         int schema_version;
  
-       if (!json_unpack(root, "{s:i}", "json_schema_version", &schema_version))
-                       return 0;
-
-       if (schema_version > JSON_SCHEMA_VERSION) {
-               json_error(ctx, "Schema version %d not supported, maximum supported version is %d\n",
-                          schema_version, JSON_SCHEMA_VERSION);
-               return 1;
+       if (!json_unpack(root, "{s:i}", "json_schema_version", &schema_version)) {
+               if (schema_version > JSON_SCHEMA_VERSION) {
+                       json_error(ctx,
+                                  "Schema version %d not supported, maximum"
+                                  " supported version is %d\n",
+                                  schema_version, JSON_SCHEMA_VERSION);
+                       return 1;
+               }
         }
  
         return 0;
diff --git a/tests/shell/testcases/json/0003json_schema_version_0 b/tests/shell/testcases/json/0003json_schema_version_0

new file mode 100755 (executable)

index 0000000..0ccf94c
--- /dev/null
+++ b/tests/shell/testcases/json/0003json_schema_version_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}]}'
+
+$NFT -j -f - <<< $RULESET
diff --git a/tests/shell/testcases/json/0004json_schema_version_1 b/tests/shell/testcases/json/0004json_schema_version_1

new file mode 100755 (executable)

index 0000000..bc451ae
--- /dev/null
+++ b/tests/shell/testcases/json/0004json_schema_version_1
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"json_schema_version": 999}}]}'
+
+$NFT -j -f - <<< $RULESET && exit 1
+
+exit 0
diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft

new file mode 100644 (file)

index 0000000..e69de29
diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft

new file mode 100644 (file)

index 0000000..e69de29
author	Fernando Fernandez Mancera <ffmancera@riseup.net>
	Fri, 2 Sep 2022 13:35:06 +0000 (15:35 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 3 Sep 2022 14:04:26 +0000 (16:04 +0200)
src/parser_json.c		patch \| blob \| blame \| history
tests/shell/testcases/json/0003json_schema_version_0	[new file with mode: 0755]	patch \| blob
tests/shell/testcases/json/0004json_schema_version_1	[new file with mode: 0755]	patch \| blob
tests/shell/testcases/json/dumps/0003json_schema_version_0.nft	[new file with mode: 0644]	patch \| blob
tests/shell/testcases/json/dumps/0004json_schema_version_1.nft	[new file with mode: 0644]	patch \| blob