mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-08-29 03:06:45 +08:00
Protect against deeply nested maps
Update BasicJsonParser to fix the deeply nested map protection logic. Fixes gh-32029
This commit is contained in:
parent
8dea05fd34
commit
2f85ea3a30
@ -67,7 +67,7 @@ public class BasicJsonParser extends AbstractJsonParser {
|
||||
return parseListInternal(nesting + 1, json);
|
||||
}
|
||||
if (json.startsWith("{")) {
|
||||
return parseMapInternal(nesting, json);
|
||||
return parseMapInternal(nesting + 1, json);
|
||||
}
|
||||
if (json.startsWith("\"")) {
|
||||
return trimTrailingCharacter(trimLeadingCharacter(json, '"'), '"');
|
||||
|
@ -205,4 +205,12 @@ abstract class AbstractJsonParserTests {
|
||||
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
|
||||
}
|
||||
|
||||
@Test // gh-32029
|
||||
void deeplyNestedMap() throws IOException {
|
||||
String input = StreamUtils.copyToString(
|
||||
AbstractJsonParserTests.class.getResourceAsStream("deeply-nested-map-json.txt"),
|
||||
StandardCharsets.UTF_8);
|
||||
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -66,4 +66,9 @@ class YamlJsonParserTests extends AbstractJsonParserTests {
|
||||
void largeMalformed() throws IOException {
|
||||
}
|
||||
|
||||
@Override
|
||||
@Disabled("SnakeYaml does not protect against deeply nested JSON")
|
||||
void deeplyNestedMap() throws IOException {
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -0,0 +1 @@
|
||||
[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>
|
Loading…
Reference in New Issue
Block a user