json: 🐛Fix stack overflow deserializing empty JSON (#1293)

shaeussler · angularsen · web-flow · commit f008252f1703 · 2023-07-24T19:44:00.000Z
Fixes #1292 The call to "token.ToObject<IQuantity>(serializer)" with an empty or invalid json calls `JsonConvert.DeserializeObject` again and results in infinite recursion and stack overflow. ### Changes - Throw `JsonSerializationException` on invalid JSON in `UnitsNetIQuantityJsonConverter` - Include helpful info in exception, link to wiki, truncated JSON token in message and full JSON token in `Data["JsonToken"]` property. - Add tests for new behavior --------- Co-authored-by: Andreas Gullberg Larsen <andreas.larsen84@gmail.com>
diff --git a/UnitsNet.Serialization.JsonNet.Tests/UnitsNetIComparableJsonConverterTest.cs b/UnitsNet.Serialization.JsonNet.Tests/UnitsNetIComparableJsonConverterTest.cs
@@ -13,7 +13,7 @@ namespace UnitsNet.Serialization.JsonNet.Tests
 {
     public sealed class UnitsNetIComparableJsonConverterTest
     {
-        private UnitsNetIComparableJsonConverter _sut;
+        private readonly UnitsNetIComparableJsonConverter _sut;
 
         public UnitsNetIComparableJsonConverterTest()
         {
diff --git a/UnitsNet.Serialization.JsonNet.Tests/UnitsNetJsonDeserializationTests.cs b/UnitsNet.Serialization.JsonNet.Tests/UnitsNetJsonDeserializationTests.cs
@@ -98,6 +98,24 @@ public void NullValue_ExpectNullReturned()
             Assert.Null(deserializedNullMass);
         }
 
+        [Fact]
+        public void EmptyJsonValue_NullableType_ExpectJsonSerializationException()
+        {
+            var ex = Assert.Throws<JsonSerializationException>(() => DeserializeObject<Mass?>("{}"));
+            Assert.Equal("Failed to deserialize IQuantity for target type System.Nullable`1[UnitsNet.Mass] from JSON '{}', expected properties Unit and Value.", ex.Message);
+            Assert.Equal("https://github.com/angularsen/UnitsNet/wiki/Serializing-to-JSON,-XML-and-more#unitsnetserializationjsonnet-with-jsonnet-newtonsoft", ex.HelpLink);
+            Assert.Equal("{}", ex.Data["JsonToken"]);
+        }
+
+        [Fact]
+        public void EmptyJsonValue_NonNullableType_ExpectJsonSerializationException()
+        {
+            var ex = Assert.Throws<JsonSerializationException>(() => DeserializeObject<Mass>("{}"));
+            Assert.Equal("Failed to deserialize IQuantity for target type UnitsNet.Mass from JSON '{}', expected properties Unit and Value.", ex.Message);
+            Assert.Equal("https://github.com/angularsen/UnitsNet/wiki/Serializing-to-JSON,-XML-and-more#unitsnetserializationjsonnet-with-jsonnet-newtonsoft", ex.HelpLink);
+            Assert.Equal("{}", ex.Data["JsonToken"]);
+        }
+
         [Fact]
         public void NullValueNestedInObject_ExpectValueDeserializedToNullCorrectly()
         {
diff --git a/UnitsNet.Serialization.JsonNet/StringExtensions.cs b/UnitsNet.Serialization.JsonNet/StringExtensions.cs
@@ -0,0 +1,25 @@
+﻿// Licensed under MIT No Attribution, see LICENSE file at the root.
+// Copyright 2013 Andreas Gullberg Larsen (andreas.larsen84@gmail.com). Maintained at https://github.com/angularsen/UnitsNet.
+
+using System.Diagnostics.CodeAnalysis;
+
+namespace UnitsNet.Serialization.JsonNet
+{
+    internal static class StringExtensions
+    {
+        /// <summary>
+        /// Truncates a string to the given length, with truncation suffix.
+        /// </summary>
+        /// <param name="value">The string.</param>
+        /// <param name="maxLength">The max length, including <paramref name="truncationSuffix"/>.</param>
+        /// <param name="truncationSuffix">Suffix to append if truncated, defaults to "…".</param>
+        /// <returns>The truncated string if longer, otherwise the original string.</returns>
+        [return: NotNullIfNotNull("value")]
+        public static string? Truncate(this string? value, int maxLength, string truncationSuffix = "…")
+        {
+            return value?.Length > maxLength
+                ? value.Substring(0, maxLength - truncationSuffix.Length) + truncationSuffix
+                : value;
+        }
+    }
+}
diff --git a/UnitsNet.Serialization.JsonNet/UnitsNetBaseJsonConverter.cs b/UnitsNet.Serialization.JsonNet/UnitsNetBaseJsonConverter.cs
@@ -47,6 +47,7 @@ public void RegisterCustomType(Type quantity, Type unit)
         /// <returns>A <see cref="ValueUnit"/></returns>
         protected ValueUnit? ReadValueUnit(JToken jsonToken)
         {
+            // Empty JSON "{}"
             if (!jsonToken.HasValues)
             {
                 return null;
diff --git a/UnitsNet.Serialization.JsonNet/UnitsNetIComparableJsonConverter.cs b/UnitsNet.Serialization.JsonNet/UnitsNetIComparableJsonConverter.cs
@@ -50,28 +50,30 @@ public override void WriteJson(JsonWriter writer, IComparable? value, JsonSerial
         public override IComparable? ReadJson(JsonReader reader, Type objectType, IComparable? existingValue, bool hasExistingValue,
             JsonSerializer serializer)
         {
-            reader = reader ?? throw new ArgumentNullException(nameof(reader));
-            serializer = serializer ?? throw new ArgumentNullException(nameof(serializer));
+            if (reader == null) throw new ArgumentNullException(nameof(reader));
+            if (serializer == null) throw new ArgumentNullException(nameof(serializer));
 
-            if (reader.TokenType == JsonToken.Null)
+            var token = JToken.Load(reader);
+
+            if (token.Type is JTokenType.Null)
             {
                 return existingValue;
             }
 
-            var localSerializer = CreateLocalSerializer(serializer, this);
-
-            var token = JToken.Load(reader);
-
             // If objectType is not IComparable but a type that implements IComparable, deserialize directly as this type instead.
             if (objectType != typeof(IComparable))
             {
+                // Remove the current converter from the list of converters to avoid infinite recursion.
+                JsonSerializer localSerializer = CreateLocalSerializer(serializer, this);
                 return (IComparable)token.ToObject(objectType, localSerializer)!;
             }
 
-            var valueUnit = ReadValueUnit(token);
+            ValueUnit? valueUnit = ReadValueUnit(token);
 
             if (valueUnit == null)
             {
+                // Remove the current converter from the list of converters to avoid infinite recursion.
+                JsonSerializer localSerializer = CreateLocalSerializer(serializer, this);
                 return token.ToObject<IComparable>(localSerializer);
             }
 
diff --git a/UnitsNet.Serialization.JsonNet/UnitsNetIQuantityJsonConverter.cs b/UnitsNet.Serialization.JsonNet/UnitsNetIQuantityJsonConverter.cs
@@ -31,7 +31,7 @@ public override void WriteJson(JsonWriter writer, IQuantity? value, JsonSerializ
                 return;
             }
 
-            var valueUnit = ConvertIQuantity(value);
+            ValueUnit valueUnit = ConvertIQuantity(value);
 
             serializer.Serialize(writer, valueUnit);
         }
@@ -51,24 +51,28 @@ public override void WriteJson(JsonWriter writer, IQuantity? value, JsonSerializ
         public override IQuantity? ReadJson(JsonReader reader, Type objectType, IQuantity? existingValue, bool hasExistingValue,
             JsonSerializer serializer)
         {
-            reader = reader ?? throw new ArgumentNullException(nameof(reader));
-            serializer = serializer ?? throw new ArgumentNullException(nameof(serializer));
-
-            if (reader.TokenType == JsonToken.Null)
-            {
-                return existingValue;
-            }
+            if (reader == null) throw new ArgumentNullException(nameof(reader));
+            if (serializer == null) throw new ArgumentNullException(nameof(serializer));
 
             var token = JToken.Load(reader);
 
-            var valueUnit = ReadValueUnit(token);
-
-            if (valueUnit == null)
+            if (token.Type is JTokenType.Null)
             {
-                return token.ToObject<IQuantity>(serializer);
+                return existingValue;
             }
 
-            return ConvertValueUnit(valueUnit);
+            // Try to read value and unit from JSON, otherwise throw.
+            ValueUnit? valueUnit = ReadValueUnit(token);
+
+            return valueUnit != null
+                ? ConvertValueUnit(valueUnit)
+                : throw new JsonSerializationException(
+                    $"Failed to deserialize IQuantity for target type {objectType} from JSON '{token.ToString().Truncate(100)}', expected properties Unit and Value.")
+                {
+                    HelpLink =
+                        "https://github.com/angularsen/UnitsNet/wiki/Serializing-to-JSON,-XML-and-more#unitsnetserializationjsonnet-with-jsonnet-newtonsoft",
+                    Data = { { "JsonToken", token.ToString() }, }
+                };
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ namespace UnitsNet.Serialization.JsonNet.Tests`
`13`	`13`	`{`
`14`	`14`	`public sealed class UnitsNetIComparableJsonConverterTest`
`15`	`15`	`{`
`16`		`- private UnitsNetIComparableJsonConverter _sut;`
	`16`	`+ private readonly UnitsNetIComparableJsonConverter _sut;`
`17`	`17`
`18`	`18`	`public UnitsNetIComparableJsonConverterTest()`
`19`	`19`	`{`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ public void RegisterCustomType(Type quantity, Type unit)`
`47`	`47`	`/// <returns>A <see cref="ValueUnit"/></returns>`
`48`	`48`	`protected ValueUnit? ReadValueUnit(JToken jsonToken)`
`49`	`49`	`{`
	`50`	`+ // Empty JSON "{}"`
`50`	`51`	`if (!jsonToken.HasValues)`
`51`	`52`	`{`
`52`	`53`	`return null;`
Original file line number	Diff line number	Diff line change
`@@ -50,28 +50,30 @@ public override void WriteJson(JsonWriter writer, IComparable? value, JsonSerial`
`50`	`50`	`public override IComparable? ReadJson(JsonReader reader, Type objectType, IComparable? existingValue, bool hasExistingValue,`
`51`	`51`	`JsonSerializer serializer)`
`52`	`52`	`{`
`53`		`- reader = reader ?? throw new ArgumentNullException(nameof(reader));`
`54`		`- serializer = serializer ?? throw new ArgumentNullException(nameof(serializer));`
	`53`	`+ if (reader == null) throw new ArgumentNullException(nameof(reader));`
	`54`	`+ if (serializer == null) throw new ArgumentNullException(nameof(serializer));`
`55`	`55`
`56`		`- if (reader.TokenType == JsonToken.Null)`
	`56`	`+ var token = JToken.Load(reader);`
	`57`	`+`
	`58`	`+ if (token.Type is JTokenType.Null)`
`57`	`59`	`{`
`58`	`60`	`return existingValue;`
`59`	`61`	`}`
`60`	`62`
`61`		`- var localSerializer = CreateLocalSerializer(serializer, this);`
`62`		`-`
`63`		`- var token = JToken.Load(reader);`
`64`		`-`
`65`	`63`	`// If objectType is not IComparable but a type that implements IComparable, deserialize directly as this type instead.`
`66`	`64`	`if (objectType != typeof(IComparable))`
`67`	`65`	`{`
	`66`	`+ // Remove the current converter from the list of converters to avoid infinite recursion.`
	`67`	`+ JsonSerializer localSerializer = CreateLocalSerializer(serializer, this);`
`68`	`68`	`return (IComparable)token.ToObject(objectType, localSerializer)!;`
`69`	`69`	`}`
`70`	`70`
`71`		`- var valueUnit = ReadValueUnit(token);`
	`71`	`+ ValueUnit? valueUnit = ReadValueUnit(token);`
`72`	`72`
`73`	`73`	`if (valueUnit == null)`
`74`	`74`	`{`
	`75`	`+ // Remove the current converter from the list of converters to avoid infinite recursion.`
	`76`	`+ JsonSerializer localSerializer = CreateLocalSerializer(serializer, this);`
`75`	`77`	`return token.ToObject<IComparable>(localSerializer);`
`76`	`78`	`}`
`77`	`79`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ public override void WriteJson(JsonWriter writer, IQuantity? value, JsonSerializ`
`31`	`31`	`return;`
`32`	`32`	`}`
`33`	`33`
`34`		`- var valueUnit = ConvertIQuantity(value);`
	`34`	`+ ValueUnit valueUnit = ConvertIQuantity(value);`
`35`	`35`
`36`	`36`	`serializer.Serialize(writer, valueUnit);`
`37`	`37`	`}`
`@@ -51,24 +51,28 @@ public override void WriteJson(JsonWriter writer, IQuantity? value, JsonSerializ`
`51`	`51`	`public override IQuantity? ReadJson(JsonReader reader, Type objectType, IQuantity? existingValue, bool hasExistingValue,`
`52`	`52`	`JsonSerializer serializer)`
`53`	`53`	`{`
`54`		`- reader = reader ?? throw new ArgumentNullException(nameof(reader));`
`55`		`- serializer = serializer ?? throw new ArgumentNullException(nameof(serializer));`
`56`		`-`
`57`		`- if (reader.TokenType == JsonToken.Null)`
`58`		`- {`
`59`		`- return existingValue;`
`60`		`- }`
	`54`	`+ if (reader == null) throw new ArgumentNullException(nameof(reader));`
	`55`	`+ if (serializer == null) throw new ArgumentNullException(nameof(serializer));`
`61`	`56`
`62`	`57`	`var token = JToken.Load(reader);`
`63`	`58`
`64`		`- var valueUnit = ReadValueUnit(token);`
`65`		`-`
`66`		`- if (valueUnit == null)`
	`59`	`+ if (token.Type is JTokenType.Null)`
`67`	`60`	`{`
`68`		`- return token.ToObject<IQuantity>(serializer);`
	`61`	`+ return existingValue;`
`69`	`62`	`}`
`70`	`63`
`71`		`- return ConvertValueUnit(valueUnit);`
	`64`	`+ // Try to read value and unit from JSON, otherwise throw.`
	`65`	`+ ValueUnit? valueUnit = ReadValueUnit(token);`
	`66`	`+`
	`67`	`+ return valueUnit != null`
	`68`	`+ ? ConvertValueUnit(valueUnit)`
	`69`	`+ : throw new JsonSerializationException(`
	`70`	`+ $"Failed to deserialize IQuantity for target type {objectType} from JSON '{token.ToString().Truncate(100)}', expected properties Unit and Value.")`
	`71`	`+ {`
	`72`	`+ HelpLink =`
	`73`	`+ "https://github.com/angularsen/UnitsNet/wiki/Serializing-to-JSON,-XML-and-more#unitsnetserializationjsonnet-with-jsonnet-newtonsoft",`
	`74`	`+ Data = { { "JsonToken", token.ToString() }, }`
	`75`	`+ };`
`72`	`76`	`}`
`73`	`77`	`}`
`74`	`78`	`}`