Json::encode(): auto-sanitize bad UTF-8 strings

[Al2Klimov]

fixes #2635

[Thomas-Gelf]

If you want this to be usable throughout our modules, such dangerous magic should not be the default. I expect Json::encode to be strict and to fail for invalid data. A failsafe variant is of course helpful for situations like the one referenced here. But then there should be a dedicated method call allowing one to explicitly opt for the failsafe variant.

[Al2Klimov]

Why do you think this is dangerous? Icinga 2 does the same thing before IDO inserts and they're fine (no one complained). And: I've not changed any module not in the repo (e.g. Director) neither there is any similar "peer pressure". Anyway IMO one can expect Json::encode() to do somewhat more than just json_encode().

PS: C'mon, aren't you the master of magic? 😉

[Thomas-Gelf]

Being weak on encoding isn't magic, that's acting carelessly, it's dangerous. All sane parts of our stack should accept valid UTF8 only. There are legacy parts in our stack where we have to live with historic facts. But letting the JSON library accept every kind of garbage per default is just the wrong way of dealing with this. This "forgiving" encoding should be opt-in in an explicit way by calling a dedicated function.

Regarding IDO: I gave my suggestions at the time this has been discussed and implemented. My proposal was to not let invalid UTF8 enter the core, in no way. Illegal check command output should be sanitized by the related component when reading the result. I don't know how it has then been implemented.

[nilmerg]

I also expect Json::encode and Json::decode to behave exactly as their functional counterparts. They may behave better in terms of quality/usability (which is their intention) but definitely not in terms of error handling.

Also, since this is a class in the Icinga\Util namespace, it's highly likely it's being used in the wild. Therefore suppressing exceptions a caller previously handled and expected is bad.

So, please make the sanitation optional.

[dnsmichi]

Depending on where these functions are used, you'd need sanitation or not. I wouldn't move this into the Json* functions, but leave them outside. This renders the code more visible and transparent, and you don't need to know the function signature (which would be different from the inner json_encode($value, $options, $depth)).

[lippserd]

Hi Alex,

Thanks for the PR. I opt for Json::sanitize() instead of a parameter to encode. Else you always have to specify the default parameters.

Best,
Eric

[lippserd]

Well done. Thanks!

[lippserd]

Well, tests are failing because of a fallthrough case in the switch statement. And I added an inline comment for a small change.

[lippserd]

Please use getAutoSanitize(). Subclasses may override this method. Though we don't have any at moment.

[Al2Klimov]

Always used $this->whatever – no one complained. Shall I do member reads like you everywhere in the future?

[lippserd]

I stumbled upon this several times while working on the ipl. I'd say that we did not care about subclass overrides before. Yes, please use the getter for reads in the future.

[Al2Klimov]

I already added a comment. Didn't our tests respect it?

[lippserd]

I think you need a // Fallthrough comment here.

[lippserd]

Thanks for the changes 👍