Sanitize JSON string before parsing it.

Sanitize JSON string before parsing it.

This patch makes PaymentRequestImpl use JsonSanitizer.santize() to
validate and sanitize the JSON string before parsing it.

BUG=617634
Committed: https://crrev.com/4d48c89a785d28e8046042687bddc1b5789f6d5c
Cr-Commit-Position: refs/heads/master@{#398404}

[please use gerrit instead, 2016-06-06 17:43:19]

rouslan@chromium.org changed reviewers:
+ bauerb@chromium.org, dfalcantara@chromium.org

[please use gerrit instead, 2016-06-06 17:43:20]

bauerb@, ptal JsonSanitizer.

dfalcantara@, ptal PaymentRequestImpl.

[gone, 2016-06-06 18:09:23]

PaymentRequestImpl lgtm

[Bernhard Bauer, 2016-06-06 18:49:44]

bauerb@chromium.org changed reviewers:
+ rsesek@chromium.org

[Bernhard Bauer, 2016-06-06 18:49:45]

+rsesek

JsonSanitizer LGTM

[Robert Sesek, 2016-06-07 19:10:06]

If you want to just land this for now, that's fine with me, and I can do the
suggestion below.

https://codereview.chromium.org/2039303002/diff/40001/chrome/android/java/src...
File
chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java
(right):

https://codereview.chromium.org/2039303002/diff/40001/chrome/android/java/src...
chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java:471:
result = new JSONObject(JsonSanitizer.sanitize(stringifiedData));
I'm wondering if it'd be better to create a new class
org.chromium.compoents.safejson.SafeJsonParser that mimics the C++ interface and
returns a JSONObject. That way clients of the component don't have to understand
the sanitization that's happening underneath. And it'd provide symmetry between
C++ and Java interfaces.

[please use gerrit instead, 2016-06-07 21:12:10]

On 2016/06/07 19:10:06, Robert Sesek wrote:
> If you want to just land this for now, that's fine with me, and I can do the
> suggestion below.
> 
>
https://codereview.chromium.org/2039303002/diff/40001/chrome/android/java/src...
> File
>
chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java
> (right):
> 
>
https://codereview.chromium.org/2039303002/diff/40001/chrome/android/java/src...
>
chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java:471:
> result = new JSONObject(JsonSanitizer.sanitize(stringifiedData));
> I'm wondering if it'd be better to create a new class
> org.chromium.compoents.safejson.SafeJsonParser that mimics the C++ interface
and
> returns a JSONObject. That way clients of the component don't have to
understand
> the sanitization that's happening underneath. And it'd provide symmetry
between
> C++ and Java interfaces.

Will address in follow up patch.

[please use gerrit instead, 2016-06-07 21:12:26]

The CQ bit was checked by rouslan@chromium.org

[please use gerrit instead, 2016-06-07 21:12:26]

The patchset sent to the CQ was uploaded after l-g-t-m from bauerb@chromium.org,
dfalcantara@chromium.org
Link to the patchset: https://codereview.chromium.org/2039303002/#ps40001
(title: "Fix deps")

[commit-bot: I haz the power, 2016-06-07 21:23:07]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/2039303002/40001

[commit-bot: I haz the power, 2016-06-07 22:36:34]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-06-07 22:37:58]

Description was changed from

==========
Sanitize JSON string before parsing it.

This patch makes PaymentRequestImpl use JsonSanitizer.santize() to
validate and sanitize the JSON string before parsing it.

BUG=617634
==========

to

==========
Sanitize JSON string before parsing it.

This patch makes PaymentRequestImpl use JsonSanitizer.santize() to
validate and sanitize the JSON string before parsing it.

BUG=617634

Committed: https://crrev.com/4d48c89a785d28e8046042687bddc1b5789f6d5c
Cr-Commit-Position: refs/heads/master@{#398404}
==========

[commit-bot: I haz the power, 2016-06-07 22:37:59]

Patchset 3 (id:??) landed as
https://crrev.com/4d48c89a785d28e8046042687bddc1b5789f6d5c
Cr-Commit-Position: refs/heads/master@{#398404}