Spring/spring-boot
Spring/spring-boot
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-boot.git synced 2024-08-29 03:06:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

Protect against deeply nested maps

Browse Source 
Update BasicJsonParser to fix the deeply nested map protection logic.

Fixes gh-32029
This commit is contained in:
Phillip Webb 2022-08-09 10:19:40 +01:00
parent 8dea05fd34
commit 2f85ea3a30
4 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
View File

@ -67,7 +67,7 @@ public class BasicJsonParser extends AbstractJsonParser {
return parseListInternal(nesting + 1, json);
}
if (json.startsWith("{")) {
return parseMapInternal(nesting, json);
return parseMapInternal(nesting + 1, json);
}
if (json.startsWith("\"")) {
return trimTrailingCharacter(trimLeadingCharacter(json, '"'), '"');

8
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/AbstractJsonParserTests.java
View File

@ -205,4 +205,12 @@ abstract class AbstractJsonParserTests {
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
}
@Test // gh-32029
void deeplyNestedMap() throws IOException {
String input = StreamUtils.copyToString(
AbstractJsonParserTests.class.getResourceAsStream("deeply-nested-map-json.txt"),
StandardCharsets.UTF_8);
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
}
}

5
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/YamlJsonParserTests.java
View File

@ -66,4 +66,9 @@ class YamlJsonParserTests extends AbstractJsonParserTests {
void largeMalformed() throws IOException {
}
@Override
@Disabled("SnakeYaml does not protect against deeply nested JSON")
void deeplyNestedMap() throws IOException {
}
}

1
spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/json/deeply-nested-map-json.txt Normal file
View File

@ -0,0 +1 @@
[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<22><>