From 0d30f12f3f64dbe58bd816597856fb34d9e31fcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20K=C3=B6gl?= <stefan@skoegl.net>
Date: Sat, 28 Oct 2017 12:46:41 +0200
Subject: Perform input validation in JsonPoiner

---
 jsonpointer.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'jsonpointer.py')

diff --git a/jsonpointer.py b/jsonpointer.py
index 097627f..fd54569 100644
--- a/jsonpointer.py
+++ b/jsonpointer.py
@@ -167,8 +167,16 @@ class JsonPointer(object):
     # Array indices must not contain:
     # leading zeros, signs, spaces, decimals, etc
     _RE_ARRAY_INDEX = re.compile('0|[1-9][0-9]*$')
+    _RE_INVALID_ESCAPE = re.compile('(~[^01]|~$)')
 
     def __init__(self, pointer):
+
+        # validate escapes
+        invalid_escape = self._RE_INVALID_ESCAPE.search(pointer)
+        if invalid_escape:
+            raise JsonPointerException('Found invalid escape {0}'.format(
+                invalid_escape.group()))
+
         parts = pointer.split('/')
         if parts.pop(0) != '':
             raise JsonPointerException('location must starts with /')
-- 
cgit v1.2.1