Validate that strings being parsed as integers consist of ASCII characters (#2995)

eamonnmcmanus · web-flow · commit 1fa9b7a0a994 · 2026-03-19T12:36:10.000-07:00
* Validate that strings being parsed as integers consist of ASCII characters. This is technically an incompatible change, although it is unlikely that anyone will be affected by it. It also fixes a minor security issue. Fixes #2994. * Verify that `Integer.parseInt` does accept non-ASCII digits. * Move validation outside try/catch. Suggested by @Marcono1234.
diff --git a/gson/src/main/java/com/google/gson/stream/JsonReader.java b/gson/src/main/java/com/google/gson/stream/JsonReader.java
@@ -1090,6 +1090,7 @@ public long nextLong() throws IOException {
       } else {
         peekedString = nextQuotedValue(p == PEEKED_SINGLE_QUOTED ? '\'' : '"');
       }
+      validateAscii(peekedString);
       try {
         long result = Long.parseLong(peekedString);
         peeked = PEEKED_NONE;
@@ -1332,6 +1333,7 @@ public int nextInt() throws IOException {
       } else {
         peekedString = nextQuotedValue(p == PEEKED_SINGLE_QUOTED ? '\'' : '"');
       }
+      validateAscii(peekedString);
       try {
         result = Integer.parseInt(peekedString);
         peeked = PEEKED_NONE;
@@ -1853,6 +1855,14 @@ private void consumeNonExecutePrefix() throws IOException {
     pos += 5;
   }
 
+  private void validateAscii(String s) throws MalformedJsonException {
+    for (int i = 0; i < s.length(); i++) {
+      if (s.charAt(i) > 127) {
+        throw syntaxError("String contains non-ASCII characters: " + s);
+      }
+    }
+  }
+
   static {
     JsonReaderInternalAccess.INSTANCE =
         new JsonReaderInternalAccess() {
diff --git a/gson/src/test/java/com/google/gson/stream/JsonReaderTest.java b/gson/src/test/java/com/google/gson/stream/JsonReaderTest.java
@@ -736,6 +736,33 @@ public void testLongs() throws IOException {
     assertThat(reader.peek()).isEqualTo(JsonToken.END_DOCUMENT);
   }
 
+  @Test
+  public void testNonAsciiDigits() throws IOException {
+    String asciiDigits = "123";
+    String nonAsciiDigits = "１２３"; // full-width digits
+
+    // These should work
+    assertThat(new JsonReader(reader(asciiDigits)).nextInt()).isEqualTo(123);
+    assertThat(new JsonReader(reader(asciiDigits)).nextLong()).isEqualTo(123L);
+    assertThat(new JsonReader(reader('"' + asciiDigits + '"')).nextInt()).isEqualTo(123);
+    assertThat(new JsonReader(reader('"' + asciiDigits + '"')).nextLong()).isEqualTo(123L);
+
+    // Integer.parseInt happily accepts non-ASCII digits...
+    assertThat(Integer.parseInt(nonAsciiDigits)).isEqualTo(123);
+
+    // ...but nevertheless these should not work
+    assertThrows(
+        MalformedJsonException.class, () -> new JsonReader(reader(nonAsciiDigits)).nextInt());
+    assertThrows(
+        MalformedJsonException.class, () -> new JsonReader(reader(nonAsciiDigits)).nextLong());
+    assertThrows(
+        MalformedJsonException.class,
+        () -> new JsonReader(reader('"' + nonAsciiDigits + '"')).nextInt());
+    assertThrows(
+        MalformedJsonException.class,
+        () -> new JsonReader(reader('"' + nonAsciiDigits + '"')).nextLong());
+  }
+
   @Test
   public void testNumberWithOctalPrefix() throws IOException {
     String number = "01";
@@ -828,6 +855,9 @@ public void testMalformedNumbers() throws IOException {
     assertNotANumber("-.0");
     assertNotANumber(".0e1");
     assertNotANumber("-.0e1");
+
+    // non-ASCII digits (these are full-width digits)
+    assertNotANumber("１２.３");
   }
 
   private static void assertNotANumber(String s) throws IOException {
