[BUG]Fastjson2-2.0.28时间格式化报错

[JavaChinaLive]

问题描述

Fastjson2-2.0.28时间格式化报错

环境信息

请填写以下信息：

• OS信息： [e.g.：CentOS 8.4.2105 4Core 3.10GHz 16 GB]
• JDK信息： [e.g.：Openjdk 1.8.0_312]
• 版本信息：[e.g.：Fastjson2 2.0.28]

重现步骤

如何操作可以重现该问题：

1. 使用 com.alibaba.fastjson2.JSON.parseObject 方法
2. 输入 VO类 数据
3. 出现 com.alibaba.fastjson2.JSONException: illegal date input, offset 125, character ", line 1, column 126, fastjson-version 2.0.28 错误

//可在此输入示例代码

相关日志输出

com.alibaba.fastjson2.JSONException: illegal date input, offset 125, character ", line 1, column 126, fastjson-version 2.0.28 {"@type":"com.cashy.payment.domain.vo.PayDeskOneCache","amount":1710000,"currency":"IDR","expireSeconds":43200,"expireTime":"2023-04-21 21:03:43.071","mchOrderNo":"16820426211962643102","merchantId":"2002088","orderNo":"PAYIN8337573427768262656","orderStatus":"PAYING","payCode":"8903909932118062","payProCode":"MandiriVA","qrCodeType":"0"}

[JavaChinaLive]

expireTime 是Date数据类型，数据出现毫秒 就报错Json语法错误
2023-04-21 21:03:43.071

[wenshao]

我这里没有重现，能提供更完整的错误堆栈信息么？

[JavaChinaLive]

com.alibaba.fastjson2.JSONException: illegal date input, offset 124, character ", line 1, column 125, fastjson-version 2.0.28 {"@type":"com.cashy.payment.domain.vo.PayDeskOneCache","amount":700000,"currency":"IDR","expireSeconds":86400,"expireTime":"2023-04-21 16:37:59.072","mchOrderNo":"MCH8337325359814737920","merchantId":"3002094","orderNo":"PAYIN8337325359856680960","orderStatus":"PAYING","payCode":"6321344006656","payProCode":"BRIVA","qrCodeType":"0"} at com.alibaba.fastjson2.JSONReaderUTF16.readMillis19(JSONReaderUTF16.java:5276) at com.alibaba.fastjson2.reader.ObjectReaderImplDate.readDate(ObjectReaderImplDate.java:100) at com.alibaba.fastjson2.reader.ObjectReaderImplDate.readObject(ObjectReaderImplDate.java:71) at com.alibaba.fastjson2.reader.ORG_2_15_PayDeskOneCache.readObject(Unknown Source) at com.alibaba.fastjson2.reader.ObjectReaderImplObject.readObject(ObjectReaderImplObject.java:125) at com.alibaba.fastjson2.JSON.parseObject(JSON.java:857) at com.cashy.frameworkapp.config.FastJson2JsonRedisSerializer.deserialize(FastJson2JsonRedisSerializer.java:46) at org.springframework.data.redis.core.AbstractOperations.deserializeValue(AbstractOperations.java:335) at org.springframework.data.redis.core.AbstractOperations$ValueDeserializingRedisCallback.doInRedis(AbstractOperations.java:61) at org.springframework.data.redis.core.RedisTemplate.execute(RedisTemplate.java:222) at org.springframework.data.redis.core.RedisTemplate.execute(RedisTemplate.java:189) at org.springframework.data.redis.core.AbstractOperations.execute(AbstractOperations.java:96) at org.springframework.data.redis.core.DefaultValueOperations.get(DefaultValueOperations.java:53)

[JavaChinaLive]

@JsonFormat(pattern = "yyyy-MM-dd HH:mm:ss") private Date expireTime;

[JavaChinaLive]

`package com.cashy.payment.domain.vo;

import java.math.BigDecimal;
import java.util.Date;

import com.alibaba.fastjson2.JSONObject;
import com.cashy.common.config.CustomerBigDecimalSerialize;
import com.fasterxml.jackson.annotation.JsonFormat;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;

import lombok.Data;

@DaTa
public class PayDeskOneCache {
private String merchantId;
private String mchOrderNo;
private String orderNo;
private String currency;
private BigDecimal amount;
@jsonformat(pattern = "yyyy-MM-dd HH:mm:ss")
private Date expireTime;
@jsonformat(pattern = "dd-MM-yyyy HH:mm")
private Date completeTime;
private String payCode;
private String payProCode;
private String qrCodeType;
private String pushNumber;
private String orderStatus;
private Long expireSeconds;

}
`

在Fastjson2-version-2.0.16是正常的，升级到2.0.28就会报错格式化错误

[EvanMi]

请问这个算bug吗？因为字符串个pattern确实不匹配呀

[JavaChinaLive]

请问这个算bug吗？因为字符串个pattern确实不匹配呀

感觉有点奇怪，在2.0.16版本没有报错

[wenshao]

Bean bean = JSON.parseObject(json, Bean.class, JSONReader.Feature.SupportSmartMatch);

加上SupportSmartMatch可以自动识别不匹配的格式

[EvanMi]

Bean bean = JSON.parseObject(json, Bean.class, JSONReader.Feature.SupportSmartMatch);

加上SupportSmartMatch可以自动识别不匹配的格式

确实，加上不报错，还能正确解析

[wenshao]

https://github.com/alibaba/fastjson2/releases/tag/2.0.29
请用新版本

[JavaChinaLive]

感谢温少，还冲锋在前线 温绍锦 ***@***.***>于2023年4月22日 周六21:14写道：

…

https://github.com/alibaba/fastjson2/releases/tag/2.0.29 请用新版本 — Reply to this email directly, view it on GitHub <#1393 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZB46DH5NY2DN5SSH3QCP43XCPKTFANCNFSM6AAAAAAXGIN6NY> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[JavaChinaLive]

Bean bean = JSON.parseObject(json, Bean.class, JSONReader.Feature.SupportSmartMatch);

加上SupportSmartMatch可以自动识别不匹配的格式

@wenshao 请教个问题，我目前用的是 JSONReader.Feature.SupportAutoType 如果 改成 JSONReader.Feature.SupportSmartMatch ，有没有安全的影响，比如说序列化的漏洞问题

[JavaChinaLive]

`package com.xxx.framework.config;

import java.nio.charset.Charset;
import org.springframework.data.redis.serializer.RedisSerializer;
import org.springframework.data.redis.serializer.SerializationException;
import com.alibaba.fastjson2.JSON;
import com.alibaba.fastjson2.JSONReader;
import com.alibaba.fastjson2.JSONWriter;

/**

• Redis使用FastJson序列化
  */
  public class FastJson2JsonRedisSerializer implements RedisSerializer
  {
  public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");

  private Class clazz;

  public FastJson2JsonRedisSerializer(Class clazz)
  {
  super();
  this.clazz = clazz;
  }

  @OverRide
  public byte[] serialize(T t) throws SerializationException
  {
  if (t == null)
  {
  return new byte[0];
  }
  return JSON.toJSONString(t, JSONWriter.Feature.WriteClassName).getBytes(DEFAULT_CHARSET);
  }

  @OverRide
  public T deserialize(byte[] bytes) throws SerializationException
  {
  if (bytes == null || bytes.length <= 0)
  {
  return null;
  }
  String str = new String(bytes, DEFAULT_CHARSET);

   return JSON.parseObject(str, clazz, JSONReader.Feature.SupportAutoType);
  

  }
  }
  `