Bug Report: vRealize Automation REST API generates invalid JSON data

This was tested with vRealize Automation v. 6.2.3

The issue

when using vRA REST API to get data as JSON, it's possible that this data includes ASCII control characters.

By JSON specification it's not valid to include double quotes (0x22), backslashes (0x5C) or any control characters (0x00 till 0x1F and 0x7F) inside string literals.

Example

We try to get a list of resourceOperations. it's possible that those operations are custom day 2 operations.

Such operations are allowed to have a description field, which may include ASCII control characters, e.g. it may include a newline formed by CR+LF (0x0D0A).

An example request may look like this: HTTP GET /api/consumer/resources/{resourceId}/actions

The response (truncated) may look like this:

{   "links": [   ],   "content": [      {       {          "@type": "ConsumerResourceOperation",          "name": "My custom action",          "description": "This is the action description  including a newline control character.",          "iconId": "cad71fb0-d760-4abc-bc8c-f7014d0c455a",          "type": "ACTION",          "id": "cad71fb0-d760-4abc-bc8c-f7014d0c455a",          "extensionId": null,          "providerTypeId": "com.vmware.csp.core.designer.service",          "bindingId": "556a370e-81e4-480a-86ee-9557d12aab84",          "hasForm": "true",          "formScale": "BIG"       },   [...]   }   [...]
}

As you can see, the response is not valid JSON because it includes a newline character. If you try to convert it into a JSON object, most parsers (the JSON spec. compliant one) will fail. This is also true for the (yet unofficial) JSON parser included inside vRealize Orchestrator, e.g.

var restClient = cafeHost.createRestClient(vCACCAFEServicesEnum.CATALOG_SERVICE);
var response = restClient.get("consumer/resources/"+ressource.getId()+"/actions");


var responseBodyAsString = response.getBodyAsString();  // works
var responseBodyAsJSON = response.getBodyAsJson();      // will fail with error "SyntaxError: String contains control character"
var jsonData = JSON.parse(responseBodyAsString);        // will fail with error "SyntaxError: String contains control character"

Implications

While this was tested for resourceOperations, it may be true for other JSON data returned by the vRealize Automation REST API.

Requested fix

Any generated JSON data from vRealize Automation should be checked for unsupported characters and, if any are found, those should be removed or escaped using the JSON escape sequences before any response is send.

In addition a JSON linter should be included for the REST API unit tests in order to help identify such issues.