Skip to content

Commit

Permalink
Protect against deeply malformed JSON map keys
Browse files Browse the repository at this point in the history 
Fixes gh-31869
  • Loading branch information
@philwebb
philwebb committed Jul 26, 2022
1 parent 6966ebd commit 4132414
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 12 deletions.
27 changes: 15 additions & 12 deletions ...boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
View file
Expand Up @@ -21,6 +21,7 @@
import java.util.List;
import java.util.Map;

import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/**
Expand Down Expand Up @@ -86,6 +87,20 @@ private Object parseInternal(int nesting, String json) {
return json;
}

private Map<String, Object> parseMapInternal(String json) {
Map<String, Object> map = new LinkedHashMap<>();
json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
for (String pair : tokenize(json)) {
String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
Assert.state(values[0].startsWith("\"") && values[0].endsWith("\""),
"Expecting double-quotes around field names");
String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
Object value = parseInternal(0, values[1]);
map.put(key, value);
}
return map;
}

private static String trimTrailingCharacter(String string, char c) {
if (!string.isEmpty() && string.charAt(string.length() - 1) == c) {
return string.substring(0, string.length() - 1);
Expand All @@ -100,18 +115,6 @@ private static String trimLeadingCharacter(String string, char c) {
return string;
}

private Map<String, Object> parseMapInternal(String json) {
Map<String, Object> map = new LinkedHashMap<>();
json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
for (String pair : tokenize(json)) {
String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
Object value = parseInternal(0, values[1]);
map.put(key, value);
}
return map;
}

private List<String> tokenize(String json) {
List<String> list = new ArrayList<>();
int index = 0;
Expand Down
7 changes: 7 additions & 0 deletions ...ject/spring-boot/src/test/java/org/springframework/boot/json/AbstractJsonParserTests.java
View file
Expand Up @@ -198,4 +198,11 @@ void listWithRepeatedOpenArray() throws IOException {
.withMessageContaining("too deeply nested");
}

@Test // gh-31869
void largeMalformed() throws IOException {
String input = StreamUtils.copyToString(
AbstractJsonParserTests.class.getResourceAsStream("large-malformed-json.txt"), StandardCharsets.UTF_8);
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
}

}
5 changes: 5 additions & 0 deletions ...-project/spring-boot/src/test/java/org/springframework/boot/json/YamlJsonParserTests.java
View file
Expand Up @@ -61,4 +61,9 @@ void listWithRepeatedOpenArray() throws IOException {
super.listWithRepeatedOpenArray();
}

@Override
@Disabled("SnakeYaml does not protect against malformed keys")
void largeMalformed() throws IOException {
}

}

0 comments on commit 4132414

Please sign in to comment.