Add a JSON sanitizer.

components/safe_json/json_sanitizer_android.cc

Index: components/safe_json/json_sanitizer_android.cc
diff --git a/components/safe_json/json_sanitizer_android.cc b/components/safe_json/json_sanitizer_android.cc
new file mode 100644
index 0000000000000000000000000000000000000000..20754b75c178d2d09d4a54fa8671f24004def52e
--- /dev/null
+++ b/components/safe_json/json_sanitizer_android.cc
@@ -0,0 +1,126 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/safe_json/json_sanitizer.h"
+
+#include "base/android/jni_string.h"
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/memory/weak_ptr.h"
+#include "base/message_loop/message_loop.h"
+#include "base/strings/string_util.h"
+#include "jni/JsonSanitizer_jni.h"
+
+namespace safe_json {
+
+namespace {
+
+// An implementation of JsonSanitizer that calls into Java. It deals with
+// malformed input (in particular malformed Unicode encodings) in the following
+// steps:
+// 1. The input string is checked for whether it is well-formed UTF-8. Malformed

[Robert Sesek, 2015/07/07 21:54:16]

Is this step required, or does (2) have unexpected results if the input is
invalid UTF-8?

[Bernhard Bauer, 2015/07/08 11:54:29]

Step 2 will replace any invalid characters or multi-byte sequences with the
replacement character, whereas the JSON parser will outright reject it, so this
makes sure both implementations are equivalent.

+//    UTF-8 is rejected.
+// 2. The UTF-8 string is converted in native code to a Java String, which is
+//    encoded as UTF-16.
+// 2. The Java String is parsed as JSON in the memory-safe environment of the
+//    Java VM and any string literals are unescaped.
+// 3. The string literals themselves are now untrusted, so they are checked in
+//    Java for whether they are valid UTF-16.
+// 4. The parsed JSON with sanitized literals is encoded back into a Java
+//    String and passed back to native code.
+// 5. The Java String is converted back to UTF-8 in native code.
+// This ensures that both invalid UTF-8 and invalid escaped UTF-16 will be
+// rejected.
+class JsonSanitizerAndroid : public JsonSanitizer {
+ public:
+  JsonSanitizerAndroid(const StringCallback& success_callback,
+                       const StringCallback& error_callback);
+  ~JsonSanitizerAndroid() override {}
+
+  // JsonSanitizer implementation:
+  void Start(const std::string& unsafe_json) override;
+
+  void OnSuccess(const std::string& json);
+  void OnError(const std::string& error);
+
+ private:
+  void RunStringCallback(const StringCallback& callback,
+                         const std::string& value);
+
+  StringCallback success_callback_;
+  StringCallback error_callback_;
+
+  base::WeakPtrFactory<JsonSanitizerAndroid> weak_ptr_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(JsonSanitizerAndroid);
+};
+
+JsonSanitizerAndroid::JsonSanitizerAndroid(
+    const StringCallback& success_callback,
+    const StringCallback& error_callback)
+    : success_callback_(success_callback),
+      error_callback_(error_callback),
+      weak_ptr_factory_(this) {}
+
+void JsonSanitizerAndroid::Start(const std::string& unsafe_json) {
+  // The JSON parser only accepts wellformed UTF-8.
+  if (!base::IsStringUTF8(unsafe_json)) {
+    OnError("Unsupported encoding");
+    return;
+  }
+
+  JNIEnv* env = base::android::AttachCurrentThread();
+  base::android::ScopedJavaLocalRef<jstring> unsafe_json_java =
+      base::android::ConvertUTF8ToJavaString(env, unsafe_json);
+  Java_JsonSanitizer_sanitize(env, reinterpret_cast<jlong>(this),
+                              unsafe_json_java.obj());
+}
+
+void JsonSanitizerAndroid::OnSuccess(const std::string& json) {
+  base::MessageLoop::current()->PostTask(
+      FROM_HERE,
+      base::Bind(&JsonSanitizerAndroid::RunStringCallback,
+                 weak_ptr_factory_.GetWeakPtr(), success_callback_, json));
+}
+
+void JsonSanitizerAndroid::OnError(const std::string& error) {
+  base::MessageLoop::current()->PostTask(
+      FROM_HERE,
+      base::Bind(&JsonSanitizerAndroid::RunStringCallback,
+                 weak_ptr_factory_.GetWeakPtr(), error_callback_, error));
+}
+
+void JsonSanitizerAndroid::RunStringCallback(const StringCallback& callback,
+                                             const std::string& value) {
+  callback.Run(value);
+}
+
+}  // namespace
+
+void OnSuccess(JNIEnv* env, jclass clazz, jlong jsanitizer, jstring json) {
+  JsonSanitizerAndroid* sanitizer =
+      reinterpret_cast<JsonSanitizerAndroid*>(jsanitizer);
+  sanitizer->OnSuccess(base::android::ConvertJavaStringToUTF8(env, json));
+}
+
+void OnError(JNIEnv* env, jclass clazz, jlong jsanitizer, jstring error) {
+  JsonSanitizerAndroid* sanitizer =
+      reinterpret_cast<JsonSanitizerAndroid*>(jsanitizer);
+  sanitizer->OnError(base::android::ConvertJavaStringToUTF8(env, error));
+}
+
+// static
+scoped_ptr<JsonSanitizer> JsonSanitizer::Create(
+    const StringCallback& success_callback,
+    const StringCallback& error_callback) {
+  return make_scoped_ptr(
+      new JsonSanitizerAndroid(success_callback, error_callback));
+}
+
+// static
+bool JsonSanitizer::Register(JNIEnv* env) {
+  return RegisterNativesImpl(env);
+}
+
+}  // namespace safe_json