Merge branch '2.15'

cowtowncoder · cowtowncoder · commit 4022bfa62d63 · 2023-03-07T15:06:53.000-08:00
diff --git a/cbor/src/main/java/tools/jackson/dataformat/cbor/CBORParser.java b/cbor/src/main/java/tools/jackson/dataformat/cbor/CBORParser.java
@@ -696,7 +696,7 @@ public JsonToken nextToken() throws JacksonException
                 if (!_tagValues.isEmpty()) {
                     return _handleTaggedArray(_tagValues, len);
                 }
-                _streamReadContext = _streamReadContext.createChildArrayContext(len);
+                createChildArrayContext(len);
             }
             return (_currToken = JsonToken.START_ARRAY);
 
@@ -705,7 +705,7 @@ public JsonToken nextToken() throws JacksonException
             _currToken = JsonToken.START_OBJECT;
             {
                 int len = _decodeExplicitLength(lowBits);
-                _streamReadContext = _streamReadContext.createChildObjectContext(len);
+                createChildObjectContext(len);
             }
             return _currToken;
 
@@ -893,7 +893,7 @@ protected JsonToken _handleTaggedArray(TagList tags, int len) throws JacksonExce
         // For simplicity, let's create matching array context -- in perfect
         // world that wouldn't be necessarily, but in this one there are
         // some constraints that make it necessary
-        _streamReadContext = _streamReadContext.createChildArrayContext(len);
+        createChildArrayContext(len);
 
         // BigDecimal is the only thing we know for sure
         if (!tags.contains(CBORConstants.TAG_DECIMAL_FRACTION)) {
@@ -1796,15 +1796,15 @@ public String nextTextValue() throws JacksonException
             _currToken = JsonToken.START_ARRAY;
             {
                 int len = _decodeExplicitLength(lowBits);
-                _streamReadContext = _streamReadContext.createChildArrayContext(len);
+                createChildArrayContext(len);
             }
             return null;
 
         case 5: // Object
             _currToken = JsonToken.START_OBJECT;
             {
                 int len = _decodeExplicitLength(lowBits);
-                _streamReadContext = _streamReadContext.createChildObjectContext(len);
+                createChildObjectContext(len);
             }
             return null;
 
@@ -4147,4 +4147,14 @@ private final BigInteger _bigNegative(long l) {
         BigInteger unsignedBase = _bigPositive(l);
         return unsignedBase.negate().subtract(BigInteger.ONE);
     }
+
+    private void createChildArrayContext(final int len) throws JacksonException {
+        _streamReadContext = _streamReadContext.createChildArrayContext(len);
+        streamReadConstraints().validateNestingDepth(_streamReadContext.getNestingDepth());
+    }
+
+    private void createChildObjectContext(final int len) throws JacksonException {
+        _streamReadContext = _streamReadContext.createChildObjectContext(len);
+        streamReadConstraints().validateNestingDepth(_streamReadContext.getNestingDepth());
+    }
 }
diff --git a/cbor/src/main/java/tools/jackson/dataformat/cbor/CBORReadContext.java b/cbor/src/main/java/tools/jackson/dataformat/cbor/CBORReadContext.java
@@ -57,6 +57,7 @@ public CBORReadContext(CBORReadContext parent, DupDetector dups,
         _type = type;
         _expEntryCount = expEntryCount;
         _index = -1;
+        _nestingDepth = parent == null ? 0 : parent._nestingDepth + 1;
     }
 
     protected void reset(int type, int expEntryCount)
diff --git a/cbor/src/test/java/tools/jackson/dataformat/cbor/CBORTestBase.java b/cbor/src/test/java/tools/jackson/dataformat/cbor/CBORTestBase.java
@@ -59,6 +59,9 @@ public abstract class CBORTestBase
     protected CBORParser cborParser(ByteArrayOutputStream bytes) {
         return cborParser(bytes.toByteArray());
     }
+    protected CBORParser cborParser(CBORFactory cborFactory, ByteArrayOutputStream bytes) throws IOException {
+        return cborParser(cborFactory, bytes.toByteArray());
+    }
 
     protected CBORParser cborParser(byte[] input) {
         return (CBORParser) sharedMapper().createParser(input);
diff --git a/cbor/src/test/java/tools/jackson/dataformat/cbor/dos/DeepNestingParserTest.java b/cbor/src/test/java/tools/jackson/dataformat/cbor/dos/DeepNestingParserTest.java
@@ -0,0 +1,108 @@
+package tools.jackson.dataformat.cbor.dos;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import tools.jackson.core.*;
+import tools.jackson.core.exc.StreamConstraintsException;
+
+import tools.jackson.dataformat.cbor.CBORFactory;
+import tools.jackson.dataformat.cbor.CBORTestBase;
+
+/**
+ * Unit tests for deeply nested JSON
+ */
+public class DeepNestingParserTest extends CBORTestBase
+{
+    public void testDeeplyNestedObjects() throws Exception
+    {
+        final int depth = 1500;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        genDeepDoc(out, depth);
+        try (JsonParser jp = cborParser(out)) {
+            JsonToken jt;
+            while ((jt = jp.nextToken()) != null) {
+
+            }
+            fail("expected StreamConstraintsException");
+        } catch (StreamConstraintsException e) {
+            assertEquals("Depth (1001) exceeds the maximum allowed nesting depth (1000)", e.getMessage());
+        }
+    }
+
+    public void testDeeplyNestedObjectsWithUnconstrainedMapper() throws Exception
+    {
+        final int depth = 1500;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        genDeepDoc(out, depth);
+        CBORFactory cborFactory = CBORFactory.builder()
+                .streamReadConstraints(StreamReadConstraints.builder().maxNestingDepth(Integer.MAX_VALUE).build())
+                .build();
+        try (JsonParser jp = cborParser(cborFactory, out)) {
+            JsonToken jt;
+            while ((jt = jp.nextToken()) != null) {
+
+            }
+        }
+    }
+
+    public void testDeeplyNestedArrays() throws Exception
+    {
+        final int depth = 750;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        genDeepArrayDoc(out, depth);
+        try (JsonParser jp = cborParser(out)) {
+            JsonToken jt;
+            while ((jt = jp.nextToken()) != null) {
+
+            }
+            fail("expected StreamConstraintsException");
+        } catch (StreamConstraintsException e) {
+            assertEquals("Depth (1001) exceeds the maximum allowed nesting depth (1000)", e.getMessage());
+        }
+    }
+
+    public void testDeeplyNestedArraysWithUnconstrainedMapper() throws Exception
+    {
+        final int depth = 750;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        genDeepArrayDoc(out, depth);
+        CBORFactory cborFactory = CBORFactory.builder()
+                .streamReadConstraints(StreamReadConstraints.builder().maxNestingDepth(Integer.MAX_VALUE).build())
+                .build();
+        try (JsonParser jp = cborParser(cborFactory, out)) {
+            JsonToken jt;
+            while ((jt = jp.nextToken()) != null) {
+
+            }
+        }
+    }
+
+    private void genDeepDoc(final ByteArrayOutputStream out, final int depth) throws IOException {
+        try (JsonGenerator gen = cborGenerator(out)) {
+            for (int i = 0; i < depth; i++) {
+                gen.writeStartObject();
+                gen.writeName("a");
+            }
+            gen.writeString("val");
+            for (int i = 0; i < depth; i++) {
+                gen.writeEndObject();
+            }
+        }
+    }
+
+    private void genDeepArrayDoc(final ByteArrayOutputStream out, final int depth) throws IOException {
+        try (JsonGenerator gen = cborGenerator(out)) {
+            for (int i = 0; i < depth; i++) {
+                gen.writeStartObject();
+                gen.writeName("a");
+                gen.writeStartArray();
+            }
+            gen.writeString("val");
+            for (int i = 0; i < depth; i++) {
+                gen.writeEndArray();
+                gen.writeEndObject();
+            }
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -696,7 +696,7 @@ public JsonToken nextToken() throws JacksonException`
`696`	`696`	`if (!_tagValues.isEmpty()) {`
`697`	`697`	`return _handleTaggedArray(_tagValues, len);`
`698`	`698`	`}`
`699`		`- _streamReadContext = _streamReadContext.createChildArrayContext(len);`
	`699`	`+ createChildArrayContext(len);`
`700`	`700`	`}`
`701`	`701`	`return (_currToken = JsonToken.START_ARRAY);`
`702`	`702`
`@@ -705,7 +705,7 @@ public JsonToken nextToken() throws JacksonException`
`705`	`705`	`_currToken = JsonToken.START_OBJECT;`
`706`	`706`	`{`
`707`	`707`	`int len = _decodeExplicitLength(lowBits);`
`708`		`- _streamReadContext = _streamReadContext.createChildObjectContext(len);`
	`708`	`+ createChildObjectContext(len);`
`709`	`709`	`}`
`710`	`710`	`return _currToken;`
`711`	`711`
`@@ -893,7 +893,7 @@ protected JsonToken _handleTaggedArray(TagList tags, int len) throws JacksonExce`
`893`	`893`	`// For simplicity, let's create matching array context -- in perfect`
`894`	`894`	`// world that wouldn't be necessarily, but in this one there are`
`895`	`895`	`// some constraints that make it necessary`
`896`		`- _streamReadContext = _streamReadContext.createChildArrayContext(len);`
	`896`	`+ createChildArrayContext(len);`
`897`	`897`
`898`	`898`	`// BigDecimal is the only thing we know for sure`
`899`	`899`	`if (!tags.contains(CBORConstants.TAG_DECIMAL_FRACTION)) {`
`@@ -1796,15 +1796,15 @@ public String nextTextValue() throws JacksonException`
`1796`	`1796`	`_currToken = JsonToken.START_ARRAY;`
`1797`	`1797`	`{`
`1798`	`1798`	`int len = _decodeExplicitLength(lowBits);`
`1799`		`- _streamReadContext = _streamReadContext.createChildArrayContext(len);`
	`1799`	`+ createChildArrayContext(len);`
`1800`	`1800`	`}`
`1801`	`1801`	`return null;`
`1802`	`1802`
`1803`	`1803`	`case 5: // Object`
`1804`	`1804`	`_currToken = JsonToken.START_OBJECT;`
`1805`	`1805`	`{`
`1806`	`1806`	`int len = _decodeExplicitLength(lowBits);`
`1807`		`- _streamReadContext = _streamReadContext.createChildObjectContext(len);`
	`1807`	`+ createChildObjectContext(len);`
`1808`	`1808`	`}`
`1809`	`1809`	`return null;`
`1810`	`1810`
`@@ -4147,4 +4147,14 @@ private final BigInteger _bigNegative(long l) {`
`4147`	`4147`	`BigInteger unsignedBase = _bigPositive(l);`
`4148`	`4148`	`return unsignedBase.negate().subtract(BigInteger.ONE);`
`4149`	`4149`	`}`
	`4150`	`+`
	`4151`	`+ private void createChildArrayContext(final int len) throws JacksonException {`
	`4152`	`+ _streamReadContext = _streamReadContext.createChildArrayContext(len);`
	`4153`	`+ streamReadConstraints().validateNestingDepth(_streamReadContext.getNestingDepth());`
	`4154`	`+ }`
	`4155`	`+`
	`4156`	`+ private void createChildObjectContext(final int len) throws JacksonException {`
	`4157`	`+ _streamReadContext = _streamReadContext.createChildObjectContext(len);`
	`4158`	`+ streamReadConstraints().validateNestingDepth(_streamReadContext.getNestingDepth());`
	`4159`	`+ }`
`4150`	`4160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,7 @@ public CBORReadContext(CBORReadContext parent, DupDetector dups,`
`57`	`57`	`_type = type;`
`58`	`58`	`_expEntryCount = expEntryCount;`
`59`	`59`	`_index = -1;`
	`60`	`+ _nestingDepth = parent == null ? 0 : parent._nestingDepth + 1;`
`60`	`61`	`}`
`61`	`62`
`62`	`63`	`protected void reset(int type, int expEntryCount)`
Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,9 @@ public abstract class CBORTestBase`
`59`	`59`	`protected CBORParser cborParser(ByteArrayOutputStream bytes) {`
`60`	`60`	`return cborParser(bytes.toByteArray());`
`61`	`61`	`}`
	`62`	`+ protected CBORParser cborParser(CBORFactory cborFactory, ByteArrayOutputStream bytes) throws IOException {`
	`63`	`+ return cborParser(cborFactory, bytes.toByteArray());`
	`64`	`+ }`
`62`	`65`
`63`	`66`	`protected CBORParser cborParser(byte[] input) {`
`64`	`67`	`return (CBORParser) sharedMapper().createParser(input);`