BUG: Invalid Array Index Validation in python-json-pointer

[kylie-bee]

Description

The current regex pattern used to validate array indices in the jsonpointer package incorrectly accepts indices with leading zeros, which violates JSON Pointer specification (RFC 6901).

Current Implementation:

_RE_ARRAY_INDEX = re.compile('0|[1-9][0-9]*$')

Issue

The current regex pattern has a logical flaw where it accepts invalid array indices with leading zeros (e.g., "01", "02", "0123"). This happens because:

1. The pattern 0|[1-9][0-9]*$ is an OR condition
2. The first part 0 is not properly anchored
3. Any string starting with "0" will match the first part of the OR condition, regardless of what follows

Test Case

pattern = re.compile('0|[1-9][0-9]*$')
assert pattern.match('01')  # This incorrectly returns a match
assert pattern.match('0123')  # This incorrectly returns a match

Expected Behavior

According to RFC 6901:

• Array indices must not have leading zeros
• Valid indices: "0", "1", "2", "10", "20", etc.
• Invalid indices: "01", "02", "00", "01234", etc.

Proposed Fix

The regex pattern should be updated to:

_RE_ARRAY_INDEX = re.compile('^(?:0|[1-9][0-9]*)$')

This fix:

1. Anchors the pattern to the start of string with ^
2. Uses a non-capturing group (?:...) for efficiency
3. Properly validates that the entire string must match either:
   • A single "0", or
   • A number starting with 1-9 followed by zero or more digits

Impact

This bug could potentially lead to inconsistent behavior when working with JSON documents, especially in systems that rely on strict JSON Pointer compliance.