root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Protect against deeply nested JSON maps 

See gh-31868
This commit is contained in:
Phillip Webb 2022-07-26 15:52:57 +01:00
parent 4132414206
commit da91cde304
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
View File

@ -42,7 +42,7 @@ public class BasicJsonParser extends AbstractJsonParser {
@Override @Override
public Map<String, Object> parseMap(String json) { public Map<String, Object> parseMap(String json) {
return tryParse(() -> parseMap(json, this::parseMapInternal), Exception.class); return tryParse(() -> parseMap(json, (jsonToParse) -> parseMapInternal(0, jsonToParse)), Exception.class);
} }
@Override @Override
@ -67,7 +67,7 @@ public class BasicJsonParser extends AbstractJsonParser {
return parseListInternal(nesting + 1, json); return parseListInternal(nesting + 1, json);
} }
if (json.startsWith("{")) { if (json.startsWith("{")) {
return parseMapInternal(json); return parseMapInternal(nesting, json);
} }
if (json.startsWith("\"")) { if (json.startsWith("\"")) {
return trimTrailingCharacter(trimLeadingCharacter(json, '"'), '"'); return trimTrailingCharacter(trimLeadingCharacter(json, '"'), '"');
@ -87,7 +87,7 @@ public class BasicJsonParser extends AbstractJsonParser {
return json; return json;
} }
private Map<String, Object> parseMapInternal(String json) { private Map<String, Object> parseMapInternal(int nesting, String json) {
Map<String, Object> map = new LinkedHashMap<>(); Map<String, Object> map = new LinkedHashMap<>();
json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim(); json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
for (String pair : tokenize(json)) { for (String pair : tokenize(json)) {
@ -95,7 +95,7 @@ public class BasicJsonParser extends AbstractJsonParser {
Assert.state(values[0].startsWith("\"") && values[0].endsWith("\""), Assert.state(values[0].startsWith("\"") && values[0].endsWith("\""),
"Expecting double-quotes around field names"); "Expecting double-quotes around field names");
String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"'); String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
Object value = parseInternal(0, values[1]); Object value = parseInternal(nesting, values[1]);
map.put(key, value); map.put(key, value);
} }
return map; return map;