root
/
spring-boot
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Merge branch '2.7.x'

Browse Source 
Closes gh-31872
pull/31887/head
Phillip Webb 2 years ago
parent 7377d85096 466724f77a
commit 0b1441f119
4 changed files with 34 additions and 6 deletions
Show Stats Download Patch File Download Diff File

17
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
Unescape Escape View File

@ -37,6 +37,8 @@ import org.springframework.util.StringUtils;
*/
public class BasicJsonParser extends AbstractJsonParser {
private static final int MAX_DEPTH = 1000;
@Override
public Map<String, Object> parseMap(String json) {
return tryParse(() -> parseMap(json, this::parseMapInternal), Exception.class);
@ -44,21 +46,24 @@ public class BasicJsonParser extends AbstractJsonParser {
@Override
public List<Object> parseList(String json) {
return tryParse(() -> parseList(json, this::parseListInternal), Exception.class);
return tryParse(() -> parseList(json, (jsonToParse) -> parseListInternal(0, jsonToParse)), Exception.class);
}
private List<Object> parseListInternal(String json) {
private List<Object> parseListInternal(int nesting, String json) {
List<Object> list = new ArrayList<>();
json = trimLeadingCharacter(trimTrailingCharacter(json, ']'), '[').trim();
for (String value : tokenize(json)) {
list.add(parseInternal(value));
list.add(parseInternal(nesting + 1, value));
}
return list;
}
private Object parseInternal(String json) {
private Object parseInternal(int nesting, String json) {
if (nesting > MAX_DEPTH) {
throw new IllegalStateException("JSON is too deeply nested");
}
if (json.startsWith("[")) {
return parseListInternal(json);
return parseListInternal(nesting + 1, json);
}
if (json.startsWith("{")) {
return parseMapInternal(json);
@ -101,7 +106,7 @@ public class BasicJsonParser extends AbstractJsonParser {
for (String pair : tokenize(json)) {
String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
Object value = parseInternal(values[1]);
Object value = parseInternal(0, values[1]);
map.put(key, value);
}
return map;

12
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/AbstractJsonParserTests.java
Unescape Escape View File

@ -16,11 +16,15 @@
package org.springframework.boot.json;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import org.junit.jupiter.api.Test;
import org.springframework.util.StreamUtils;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@ -186,4 +190,12 @@ abstract class AbstractJsonParserTests {
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseMap("{\"foo\"}"));
}
@Test // gh-31868
void listWithRepeatedOpenArray() throws IOException {
String input = StreamUtils.copyToString(
AbstractJsonParserTests.class.getResourceAsStream("repeated-open-array.txt"), StandardCharsets.UTF_8);
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input)).havingCause()
.withMessageContaining("too deeply nested");
}
}

10
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/GsonJsonParserTests.java
Unescape Escape View File

@ -16,6 +16,10 @@
package org.springframework.boot.json;
import java.io.IOException;
import org.junit.jupiter.api.Disabled;
/**
* Tests for {@link GsonJsonParser}.
*
@ -28,4 +32,10 @@ class GsonJsonParserTests extends AbstractJsonParserTests {
return new GsonJsonParser();
}
@Override
@Disabled("Gson does not protect against deeply nested JSON")
void listWithRepeatedOpenArray() throws IOException {
super.listWithRepeatedOpenArray();
}
}

1
spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/json/repeated-open-array.txt
View File

File diff suppressed because one or more lines are too long
Write Preview
Loading…
Cancel
Save