A potential concurrent bug on the Utils.sanitizeJson

[NEUZhangy]

Describe the bug
A potential concurrent bug on the crafted JSON file to sanitizeJson and cause an exception. This is related to
the U+FFFD Unicode replacement character.
To Reproduce

  @Test
  public void testsanitizer() throws Exception {
    String input = "\u0010{'\u0000\u0000'\"\u0000\"{.\ufffd-0X29295909049550970,\n\n0";
    String want = "{\"\\u0000\\u0000\":\"\\u0000\",\"\":{\"0\":-47455995597866469744,\n\n\"0\":null}}";
    String got = Utils.sanitizeJson(input);
    assertEquals(want, got);
  }

Screenshots
If applicable, add screenshots to help explain your problem.

[gjvoosten]

@NEUZhangy Since this happens with the next on an iterator returned by Jackson Databind, I would assume the bug lies there, or in the sanitized JSON returned from the JsonSanitizer.

[NEUZhangy]

@NEUZhangy Since this happens with the next on an iterator returned by Jackson Databind, I would assume the bug lies there, or in the sanitized JSON returned from the JsonSanitizer.

Thanks for the reply. When I double-checked the code, I think the root cause is here:

1. When using the test case I mentioned above, in the first loop, it will run to here:

   anet/src/main/java/mil/dds/anet/utils/Utils.java

   Line 250 in 2657f90

   objectNode.remove(entry.getKey());

   that remove an entry from the object node;
2. then, since the for-loop is still using the old reference, it will loop to the entry that code just removed, which is a null reference;

   anet/src/main/java/mil/dds/anet/utils/Utils.java

   Line 244 in 2657f90

   final Map.Entry<String, JsonNode> entry = entryIter.next();

   
   that is causing the referenced bug.

[gjvoosten]

@NEUZhangy Pull requests (preferably against latest HEAD on main) are welcome!