The maximum depth for the JSON parser has been set to 10000

javadev · web-flow · commit b9f81f3b62aa · 2024-03-13T14:42:37.000+02:00
diff --git a/src/main/java/com/github/underscore/Json.java b/src/main/java/com/github/underscore/Json.java
@@ -32,6 +32,9 @@
 
 @SuppressWarnings({"java:S3740", "java:S3776"})
 public final class Json {
+
+    private static final int PARSE_MAX_DEPTH = 10_000;
+
     private Json() {}
 
     private static final String NULL = "null";
@@ -459,25 +462,30 @@ public static class JsonParser {
         private int current;
         private StringBuilder captureBuffer;
         private int captureStart;
+        private final int maxDepth;
 
-        public JsonParser(String string) {
+        public JsonParser(String string, int maxDepth) {
             this.json = string;
+            this.maxDepth = maxDepth;
             line = 1;
             captureStart = -1;
         }
 
         public Object parse() {
             read();
             skipWhiteSpace();
-            final Object result = readValue();
+            final Object result = readValue(0);
             skipWhiteSpace();
             if (!isEndOfText()) {
                 throw error("Unexpected character");
             }
             return result;
         }
 
-        private Object readValue() {
+        private Object readValue(int depth) {
+            if (depth > maxDepth) {
+                throw error("Maximum depth exceeded");
+            }
             switch (current) {
                 case 'n':
                     return readNull();
@@ -488,9 +496,9 @@ private Object readValue() {
                 case '"':
                     return readString();
                 case '[':
-                    return readArray();
+                    return readArray(depth + 1);
                 case '{':
-                    return readObject();
+                    return readObject(depth + 1);
                 case '-':
                 case '0':
                 case '1':
@@ -508,7 +516,7 @@ private Object readValue() {
             }
         }
 
-        private List<Object> readArray() {
+        private List<Object> readArray(int depth) {
             read();
             List<Object> array = new ArrayList<>();
             skipWhiteSpace();
@@ -517,7 +525,7 @@ private List<Object> readArray() {
             }
             do {
                 skipWhiteSpace();
-                array.add(readValue());
+                array.add(readValue(depth));
                 skipWhiteSpace();
             } while (readChar(','));
             if (!readChar(']')) {
@@ -526,7 +534,7 @@ private List<Object> readArray() {
             return array;
         }
 
-        private Map<String, Object> readObject() {
+        private Map<String, Object> readObject(int depth) {
             read();
             Map<String, Object> object = new LinkedHashMap<>();
             skipWhiteSpace();
@@ -541,7 +549,7 @@ private Map<String, Object> readObject() {
                     throw expected("':'");
                 }
                 skipWhiteSpace();
-                object.put(name, readValue());
+                object.put(name, readValue(depth));
                 skipWhiteSpace();
             } while (readChar(','));
             if (!readChar('}')) {
@@ -834,7 +842,11 @@ public static String toJson(Map map) {
     }
 
     public static Object fromJson(String string) {
-        return new JsonParser(string).parse();
+        return fromJson(string, PARSE_MAX_DEPTH);
+    }
+
+    public static Object fromJson(String string, int maxDepth) {
+        return new JsonParser(string, maxDepth).parse();
     }
 
     public static String formatJson(String json, JsonStringBuilder.Step identStep) {
diff --git a/src/main/java/com/github/underscore/U.java b/src/main/java/com/github/underscore/U.java
@@ -2601,6 +2601,11 @@ public static Map<String, Object> fromJsonMap(final String string) {
         return getStringObjectMap(object);
     }
 
+    public static Map<String, Object> fromJsonMap(final String string, final int maxDepth) {
+        final Object object = Json.fromJson(string, maxDepth);
+        return getStringObjectMap(object);
+    }
+
     @SuppressWarnings("unchecked")
     private static Map<String, Object> getStringObjectMap(Object object) {
         final Map<String, Object> result;
diff --git a/src/test/java/com/github/underscore/StringTest.java b/src/test/java/com/github/underscore/StringTest.java
@@ -3503,6 +3503,7 @@ void fromJsonMap() {
         assertEquals("{value=[]}", U.fromJsonMap(stringJson).toString());
         String stringJson2 = "{}";
         assertEquals("{}", U.fromJsonMap(stringJson2).toString());
+        assertEquals("{}", U.fromJsonMap(stringJson2, 100).toString());
     }
 
     @Test
@@ -3517,6 +3518,18 @@ void fromJsonStackoverflowObject() throws IOException {
         }
     }
 
+    @Test
+    void fromJsonParseException() throws IOException {
+        String stringJson =
+                new String(
+                        Files.readAllBytes(Paths.get("src/test/resources/wellFormedObject.json")));
+        try {
+            U.fromJsonMap(stringJson, 1000);
+        } catch (Throwable throwable) {
+            assertTrue(throwable instanceof Json.ParseException);
+        }
+    }
+
     @Test
     void fromJsonStackoverflowArray() throws IOException {
         String stringJson =
