root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Protect against deeply malformed JSON map keys 

Fixes gh-31869
This commit is contained in:
Phillip Webb 2022-07-26 15:47:50 +01:00
parent 6966ebd2a3
commit 4132414206
4 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
View File

@ -21,6 +21,7 @@ import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
@ -86,6 +87,20 @@ public class BasicJsonParser extends AbstractJsonParser {
return json;
}
private Map<String, Object> parseMapInternal(String json) {
Map<String, Object> map = new LinkedHashMap<>();
json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
for (String pair : tokenize(json)) {
String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
Assert.state(values[0].startsWith("\"") && values[0].endsWith("\""),
"Expecting double-quotes around field names");
String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
Object value = parseInternal(0, values[1]);
map.put(key, value);
}
return map;
}
private static String trimTrailingCharacter(String string, char c) {
if (!string.isEmpty() && string.charAt(string.length() - 1) == c) {
return string.substring(0, string.length() - 1);
@ -100,18 +115,6 @@ public class BasicJsonParser extends AbstractJsonParser {
return string;
}
private Map<String, Object> parseMapInternal(String json) {
Map<String, Object> map = new LinkedHashMap<>();
json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
for (String pair : tokenize(json)) {
String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
Object value = parseInternal(0, values[1]);
map.put(key, value);
}
return map;
}
private List<String> tokenize(String json) {
List<String> list = new ArrayList<>();
int index = 0;

7
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/AbstractJsonParserTests.java
View File

@ -198,4 +198,11 @@ abstract class AbstractJsonParserTests {
.withMessageContaining("too deeply nested");
}
@Test // gh-31869
void largeMalformed() throws IOException {
String input = StreamUtils.copyToString(
AbstractJsonParserTests.class.getResourceAsStream("large-malformed-json.txt"), StandardCharsets.UTF_8);
assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
}
}

5
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/YamlJsonParserTests.java
View File

@ -61,4 +61,9 @@ class YamlJsonParserTests extends AbstractJsonParserTests {
super.listWithRepeatedOpenArray();
}
@Override
@Disabled("SnakeYaml does not protect against malformed keys")
void largeMalformed() throws IOException {
}
}

1
spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/json/large-malformed-json.txt Normal file
View File

File diff suppressed because one or more lines are too long