TV App: Add validation logic for supported clusters and response comm…

…ands (#34454) * Add validation logic * Restyled by google-java-format * Restyled by clang-format --------- Co-authored-by: Restyled.io <[email protected]>
project-chip · Aug 3, 2024 · 6ba9655 · 6ba9655
1 parent da6dd90
commit 6ba9655
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 31 deletions.
diff --git a/...-app/android/App/platform-app/src/main/java/com/matter/tv/server/utils/ResourceUtils.java b/...-app/android/App/platform-app/src/main/java/com/matter/tv/server/utils/ResourceUtils.java
@@ -58,38 +58,43 @@ public Set<SupportedCluster> getSupportedClusters(final Resources resources, fin
           SupportedCluster cluster = new SupportedCluster();
           while (reader.hasNext()) {
             String name = reader.nextName();
-            if (name.equals(KEY_CLUSTER_ID)) {
-              cluster.clusterIdentifier = reader.nextInt();
-            } else if (name.equals(KEY_FEATURE_FLAGS)) {
-              cluster.features = reader.nextInt();
-            } else if (name.equals(KEY_OPTIONAL_COMMANDS)) {
-              List<Integer> commands = new ArrayList<>();
-              reader.beginArray();
-              while (reader.hasNext()) {
-                commands.add(reader.nextInt());
+            try {
+              if (name.equals(KEY_CLUSTER_ID)) {
+                cluster.clusterIdentifier = reader.nextInt();
+              } else if (name.equals(KEY_FEATURE_FLAGS)) {
+                cluster.features = reader.nextInt();
+              } else if (name.equals(KEY_OPTIONAL_COMMANDS)) {
+                List<Integer> commands = new ArrayList<>();
+                reader.beginArray();
+                while (reader.hasNext()) {
+                  commands.add(reader.nextInt());
+                }
+                reader.endArray();
+                int[] commandIds = new int[commands.size()];
+                int i = 0;
+                for (Integer command : commands) {
+                  commandIds[i++] = command;
+                }
+                cluster.optionalCommandIdentifiers = commandIds;
+              } else if (name.equals(KEY_OPTIONAL_ATTRIBUTES)) {
+                List<Integer> attributes = new ArrayList<>();
+                reader.beginArray();
+                while (reader.hasNext()) {
+                  attributes.add(reader.nextInt());
+                }
+                reader.endArray();
+                int[] attributeIds = new int[attributes.size()];
+                int i = 0;
+                for (Integer command : attributes) {
+                  attributeIds[i++] = command;
+                }
+                cluster.optionalAttributesIdentifiers = attributeIds;
+              } else {
+                reader.skipValue();
               }
-              reader.endArray();
-              int[] commandIds = new int[commands.size()];
-              int i = 0;
-              for (Integer command : commands) {
-                commandIds[i++] = command;
-              }
-              cluster.optionalCommandIdentifiers = commandIds;
-            } else if (name.equals(KEY_OPTIONAL_ATTRIBUTES)) {
-              List<Integer> attributes = new ArrayList<>();
-              reader.beginArray();
-              while (reader.hasNext()) {
-                attributes.add(reader.nextInt());
-              }
-              reader.endArray();
-              int[] attributeIds = new int[attributes.size()];
-              int i = 0;
-              for (Integer command : attributes) {
-                attributeIds[i++] = command;
-              }
-              cluster.optionalAttributesIdentifiers = attributeIds;
-            } else {
-              reader.skipValue();
+            } catch (NumberFormatException | IllegalStateException e) {
+              Log.e(TAG, "Invalid number format in JSON for key: " + name, e);
+              reader.skipValue(); // Skip the invalid entry
             }
           }
           supportedClusters.add(cluster);

diff --git a/examples/tv-app/android/java/ContentAppCommandDelegate.cpp b/examples/tv-app/android/java/ContentAppCommandDelegate.cpp
@@ -133,6 +133,26 @@ Status ContentAppCommandDelegate::InvokeCommand(EndpointId epId, ClusterId clust
             JniUtfString respStr(env, resp);
             ChipLogProgress(Zcl, "ContentAppCommandDelegate::InvokeCommand got response %s", respStr.c_str());
 
+            Json::CharReaderBuilder readerBuilder;
+            std::string errors;
+
+            std::unique_ptr<Json::CharReader> testReader(readerBuilder.newCharReader());
+
+            if (!testReader->parse(respStr.c_str(), respStr.c_str() + std::strlen(respStr.c_str()), &value, &errors))
+            {
+                ChipLogError(Zcl, "Failed to parse JSON: %s\n", errors.c_str());
+                env->DeleteLocalRef(resp);
+                return chip::Protocols::InteractionModel::Status::Failure;
+            }
+
+            // Validate and access JSON data safely
+            if (!value.isObject())
+            {
+                ChipLogError(Zcl, "Invalid JSON structure: not an object");
+                env->DeleteLocalRef(resp);
+                return chip::Protocols::InteractionModel::Status::Failure;
+            }
+
             Json::Reader reader;
             if (!reader.parse(respStr.c_str(), value))
             {
@@ -166,7 +186,26 @@ void ContentAppCommandDelegate::FormatResponseData(CommandHandlerInterface::Hand
 {
     handlerContext.SetCommandHandled();
     Json::Reader reader;
+
+    Json::CharReaderBuilder readerBuilder;
+    std::string errors;
+
     Json::Value value;
+    std::unique_ptr<Json::CharReader> testReader(readerBuilder.newCharReader());
+
+    if (!testReader->parse(response, response + std::strlen(response), &value, &errors))
+    {
+        ChipLogError(Zcl, "Failed to parse JSON: %s\n", errors.c_str());
+        return;
+    }
+
+    // Validate and access JSON data safely
+    if (!value.isObject())
+    {
+        ChipLogError(Zcl, "Invalid JSON structure: not an object");
+        return;
+    }
+
     if (!reader.parse(response, value))
     {
         return;