GitHub-Spring
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Protect against deeply nested maps 

Update BasicJsonParser to fix the deeply nested map protection logic.

Fixes gh-32029
pull/32501/head
Phillip Webb 4 years ago
parent
8dea05fd34
commit
2f85ea3a30
4 changed files with 15 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
  2. 8
      spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/AbstractJsonParserTests.java
  3. 5
      spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/YamlJsonParserTests.java
  4. 1
      spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/json/deeply-nested-map-json.txt

2
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
Unescape View File

@ -67,7 +67,7 @@ public class BasicJsonParser extends AbstractJsonParser { @@ -67,7 +67,7 @@ public class BasicJsonParser extends AbstractJsonParser {
return parseListInternal(nesting + 1, json);
}
if (json.startsWith("{")) {
return parseMapInternal(nesting, json);
return parseMapInternal(nesting + 1, json);
}
if (json.startsWith("\"")) {
return trimTrailingCharacter(trimLeadingCharacter(json, '"'), '"');

8
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/AbstractJsonParserTests.java
Unescape View File

@ -205,4 +205,12 @@ abstract class AbstractJsonParserTests { @@ -205,4 +205,12 @@ abstract class AbstractJsonParserTests {
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
}
@Test // gh-32029
void deeplyNestedMap() throws IOException {
String input = StreamUtils.copyToString(
AbstractJsonParserTests.class.getResourceAsStream("deeply-nested-map-json.txt"),
StandardCharsets.UTF_8);
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
}
}

5
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/YamlJsonParserTests.java
Unescape View File

@ -66,4 +66,9 @@ class YamlJsonParserTests extends AbstractJsonParserTests { @@ -66,4 +66,9 @@ class YamlJsonParserTests extends AbstractJsonParserTests {
void largeMalformed() throws IOException {
}
@Override
@Disabled("SnakeYaml does not protect against deeply nested JSON")
void deeplyNestedMap() throws IOException {
}
}

1
spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/json/deeply-nested-map-json.txt
Unescape View File

@ -0,0 +1 @@ @@ -0,0 +1 @@
[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>{":{":{":{":{":{":[{":{"":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{":{"<EFBFBD><EFBFBD>
Write Preview
Loading…
Cancel
Save