Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"json" links on https://go.googlesource.com/ return invalid JSON documents #25548

Closed
BanzaiMan opened this issue May 24, 2018 · 8 comments
Closed

Comments

@BanzaiMan
Copy link

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

N/A

Does this issue reproduce with the latest release?

N/A

What operating system and processor architecture are you using (go env)?

N/A

What did you do?

curl -s 'https://go.googlesource.com/go/+refs?format=JSON' | jq .

What did you expect to see?

A valid JSON document retrieved by curl and jq displaying a pretty JSON data.

What did you see instead?

$ curl -s 'https://go.googlesource.com/go/+refs?format=JSON' | jq .
parse error: Invalid numeric literal at line 1, column 2

The first line of returned document is:

)]}'

which is indeed invalid JSON.

@kardianos
Copy link
Contributor

This is working as intended I believe. This prevents a certain class of cross site scripting attacks.

@BanzaiMan
Copy link
Author

That is interesting. Do you have any idea where I can find out more about these concerns? Is there a reference to documents that led to this decision?

More generally, though, how is the consumer supposed to know that the JSON data thus returned are invalid and to figure out how to recover the valid data? Why should such document be advertised with content-type: application/json when it is obviously not?

@bradfitz
Copy link
Contributor

Yes, this is by design and documented:
https://gerrit-review.googlesource.com/Documentation/rest-api.html#output

@BanzaiMan
Copy link
Author

@bradfitz I am curious. How was I supposed to find that documentation from https://go.googlesource.com/go/?

@kardianos
Copy link
Contributor

kardianos commented May 25, 2018 via email

@bradfitz
Copy link
Contributor

@BanzaiMan, why are you trying to use the Gerrit API without reading the Gerrit API documentation?

@BanzaiMan
Copy link
Author

@bradfitz

I appreciate your effort to understand more.

Frankly, I was not aware that https://go.googlesource.com/go was served by Gerrit at all. I am not interested in contributing to Go itself; I'm not a Go programmer. I am simply interested in getting the canonical list of releases available. To me, a consumer of the Go lang's project data, what powers https://go.googlesource.com is an implementation detail.

I followed:
https://golang.org/ -- (The Project at the top navigation bar) -> https://golang.org/project/ -- (Source Code) -> https://golang.org/change -- (HTTP Redirect) -> https://go.googlesource.com/go/

At this point, https://go.googlesource.com/go/+refs seemed like a reasonable place for the information I need. Expecting the 'json' link to return valid JSON (when the server explicitly sets Content-Type: application/json) seemed perfectly reasonable to me, but I guess I was mistaken.

@bradfitz
Copy link
Contributor

@BanzaiMan, ah! Now I understand. I'd never seen that link down there.

I'll pass this feedback on to the Gerrit team.

BanzaiMan added a commit to travis-ci/travis-build that referenced this issue May 25, 2018
Instead of manually updating public/version-aliases/go.json
with each Go release, we update the necessary data using data
provided by the Go lang source itself.

Notice that some finessing is necessary because Go lang's git
repository does not retrun valid JSON data.
See golang/go#25548 (comment)
@golang golang locked and limited conversation to collaborators May 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants