JS: Guard other uses of Gson.fromJson

2026-04-28 02:05:14 +02:00 · 2020-10-26 09:21:56 +00:00
parent fc12b0bb5e
commit f6c0972523
1 changed files with 9 additions and 1 deletions
--- a/javascript/extractor/src/com/semmle/js/dependencies/Fetcher.java
+++ b/javascript/extractor/src/com/semmle/js/dependencies/Fetcher.java
@@ -19,6 +19,8 @@ import java.util.List;
 import java.util.regex.Pattern;

 import com.google.gson.Gson;
+import com.google.gson.JsonParseException;
+
 import com.semmle.js.dependencies.packument.Packument;

 import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
@@ -84,7 +86,13 @@ public class Fetcher {
        }
        System.out.println("Fetching package metadata for " + packageName);
        try (Reader reader = new BufferedReader(new InputStreamReader(fetch("https://registry.npmjs.org/" + packageName)))) {
-            return new Gson().fromJson(reader, Packument.class);
+            Packument packument = new Gson().fromJson(reader, Packument.class);
+            if (packument == null) {
+                throw new IOException("Malformed packument for " + packageName);
+            }
+            return packument;
+        } catch (JsonParseException ex) {
+            throw new IOException("Malformed packument for " + packageName, ex);
        }
    }