fix: parse large file with resolve option set to true

daniel-kmiecik · daniel-kmiecik · commit cb7c5dd5f42e · 2025-12-17T12:50:26.000+01:00
diff --git a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java
@@ -15,9 +15,12 @@
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import io.swagger.v3.parser.core.models.AuthorizationValue;
 import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
+import io.swagger.v3.parser.util.DeserializationUtils;
 import io.swagger.v3.parser.util.RemoteUrl;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.LoggerFactory;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.Yaml;
 
 import java.util.HashMap;
 import java.util.HashSet;
@@ -35,6 +38,8 @@ public class ReferenceVisitor extends AbstractVisitor {
     protected Reference reference;
     protected DereferencerContext context;
     private PermittedUrlsChecker permittedUrlsChecker;
+    private final LoaderOptions loaderOptions;
+
 
     public ReferenceVisitor(
             Reference reference,
@@ -46,6 +51,8 @@ public ReferenceVisitor(
         this.visited = visited;
         this.visitedMap = visitedMap;
         this.context = null;
+        this.loaderOptions = DeserializationUtils.buildLoaderOptions();
+
     }
 
     public ReferenceVisitor(
@@ -61,6 +68,7 @@ public ReferenceVisitor(
         this.context = context;
         this.permittedUrlsChecker = new PermittedUrlsChecker(context.getParseOptions().getRemoteRefAllowList(),
                 context.getParseOptions().getRemoteRefBlockList());
+        this.loaderOptions = DeserializationUtils.buildLoaderOptions();
     }
 
     public String toBaseURI(String uri) throws Exception{
@@ -301,7 +309,25 @@ public JsonNode findAnchor(JsonNode root, String anchor) {
 
     public JsonNode deserializeIntoTree(String content) throws Exception {
         boolean isJson = content.trim().startsWith("{");
-        return isJson ? Json31.mapper().readTree(content) : Yaml31.mapper().readTree(content);
+        if (isJson) {
+            return Json31.mapper().readTree(content);
+        }
+        Yaml yaml = getYaml();
+
+        Object yamlObject = yaml.load(content);
+        return Yaml31.mapper().valueToTree(yamlObject);
+    }
+
+    private Yaml getYaml() {
+        Yaml yaml;
+        String yamlCodePoints = System.getProperty("maxYamlCodePoints");
+        if (yamlCodePoints != null && !yamlCodePoints.isEmpty() && StringUtils.isNumeric(yamlCodePoints)) {
+            loaderOptions.setCodePointLimit(Integer.parseInt(yamlCodePoints));
+            yaml = new Yaml(loaderOptions);
+        } else {
+            yaml = new Yaml();
+        }
+        return yaml;
     }
 
     public JsonNode parse(String absoluteUri, List<AuthorizationValue> auths) throws Exception {
diff --git a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/DeserializationUtils.java b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/DeserializationUtils.java
@@ -79,11 +79,11 @@ public void setYamlCycleCheck(boolean yamlCycleCheck) {
         }
 
         public Integer getMaxYamlCodePoints() {
-          return maxYamlCodePoints;
+            return maxYamlCodePoints;
         }
 
         public void setMaxYamlCodePoints(Integer maxYamlCodePoints) {
-          this.maxYamlCodePoints = maxYamlCodePoints;
+            this.maxYamlCodePoints = maxYamlCodePoints;
         }
         
         public Integer getMaxYamlAliasesForCollections() {
@@ -103,7 +103,7 @@ public void setYamlAllowRecursiveKeys(boolean yamlAllowRecursiveKeys) {
         }
     }
 
-    private static Options options = new Options();
+    private static final Options options = new Options();
 
     private static final Logger LOGGER = LoggerFactory.getLogger(DeserializationUtils.class);
 
@@ -145,7 +145,6 @@ protected void addImplicitResolvers() {
             addImplicitResolver(Tag.MERGE, MERGE, "<");
             addImplicitResolver(Tag.NULL, NULL, "~nN\0");
             addImplicitResolver(Tag.NULL, EMPTY, null);
-            // addImplicitResolver(Tag.TIMESTAMP, TIMESTAMP, "0123456789");
         }
     }
 
@@ -249,15 +248,15 @@ public static JsonNode readYamlTree(String contents, ParseOptions parseOptions,
             return Json.mapper().convertValue(yaml.load(contents), JsonNode.class);
         }
         try {
-            org.yaml.snakeyaml.Yaml yaml = null;
+            org.yaml.snakeyaml.Yaml yaml;
             if (options.isValidateYamlInput()) {
                 yaml = buildSnakeYaml(new CustomSnakeYamlConstructor());
             } else {
                 yaml = buildSnakeYaml(new SafeConstructor(buildLoaderOptions()));
             }
             Object o = yaml.load(contents);
             if (options.isValidateYamlInput()) {
-                boolean res = exceedsLimits(o, null, new Integer(0), new IdentityHashMap<Object, Long>(), deserializationUtilsResult);
+                boolean res = exceedsLimits(o, null, 0, new IdentityHashMap<>(), deserializationUtilsResult);
                 if (res) {
                     LOGGER.warn("Error converting snake-parsed yaml to JsonNode");
                     return getYaml30Mapper().readTree(contents);
@@ -270,8 +269,8 @@ public static JsonNode readYamlTree(String contents, ParseOptions parseOptions,
                 //
             }
             return Json.mapper().convertValue(o, JsonNode.class);
-        } catch (Throwable e) {
-            LOGGER.warn("Error snake-parsing yaml content", e);
+        } catch (Exception e) {
+            LOGGER.warn(e.getMessage(), e);
             if (deserializationUtilsResult != null) {
                 deserializationUtilsResult.message(e.getMessage());
             }
@@ -302,8 +301,7 @@ public static org.yaml.snakeyaml.Yaml buildSnakeYaml(BaseConstructor constructor
         }
         try {
             LoaderOptions loaderOptions = buildLoaderOptions();
-            org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml(constructor, new Representer(new DumperOptions()), new DumperOptions(), loaderOptions, new CustomResolver());
-            return yaml;
+            return new org.yaml.snakeyaml.Yaml(constructor, new Representer(new DumperOptions()), new DumperOptions(), loaderOptions, new CustomResolver());
         } catch (Exception e) {
             //
             LOGGER.error("error building snakeYaml", e);
@@ -479,8 +477,8 @@ public Object getSingleData(Class<?> type) {
                 throw new SnakeException("StackOverflow safe-checking yaml content (maxDepth " + options.getMaxYamlDepth() + ")", e);
             } catch (DuplicateKeyException e) {
                 throw new SnakeException(e.getProblem().replace("found duplicate key", "Duplicate field"));
-            } catch (Throwable e) {
-                throw new SnakeException("Exception safe-checking yaml content  (maxDepth " + options.getMaxYamlDepth() + ", maxYamlAliasesForCollections " + options.getMaxYamlAliasesForCollections() + ")", e);
+            } catch (Exception e) {
+                throw new SnakeException(e.getMessage() + "; Max code points: " + options.getMaxYamlCodePoints(), e);
             }
         }
     }
diff --git a/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/OpenAPIV3ParserLargeFilesTest.java b/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/OpenAPIV3ParserLargeFilesTest.java
@@ -0,0 +1,36 @@
+package io.swagger.v3.parser;
+
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.parser.core.models.ParseOptions;
+import io.swagger.v3.parser.core.models.SwaggerParseResult;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertNotNull;
+
+public class OpenAPIV3ParserLargeFilesTest {
+
+    @BeforeClass
+    public static void init() {
+        System.setProperty("maxYamlCodePoints", "10000000");
+    }
+
+    @AfterClass
+    public void cleanUpAfterAllTests() {
+        System.clearProperty("maxYamlCodePoints");
+    }
+
+    @Test
+    public void issue2059() {
+        OpenAPIV3Parser openApiParser = new OpenAPIV3Parser();
+        ParseOptions options = new ParseOptions();
+        options.setResolve(true);
+        SwaggerParseResult parseResult = openApiParser.readLocation("issue2059/largeFile.yaml", null, options);
+        OpenAPI openAPI = parseResult.getOpenAPI();
+
+        assertNotNull(openAPI);
+        assertFalse(parseResult.getMessages().stream().anyMatch(message -> message.contains("exceeds the limit: 3145728")));
+    }
+}
diff --git a/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/reference/ReferenceVisitorTest.java b/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/reference/ReferenceVisitorTest.java
@@ -0,0 +1,64 @@
+package io.swagger.v3.parser.reference;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import org.testng.annotations.Test;
+import org.yaml.snakeyaml.error.YAMLException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.Assert.assertFalse;
+import static org.testng.Assert.assertNotNull;
+
+public class ReferenceVisitorTest {
+
+    @Test
+    public void largeFileShouldBeParsedByJacksonLibraryWhenCodeLimitIsSet() throws Exception {
+        System.setProperty("maxYamlCodePoints", "10000000");
+        ReferenceVisitor visitor = new ReferenceVisitor(null, null, null, null);
+        String resourceName = "/issue2059/largeFile.yaml";
+        String content = readResourceAsString(resourceName);
+
+        JsonNode jsonNode = visitor.deserializeIntoTree(content);
+
+        assertNotNull(content);
+        assertFalse(content.isEmpty());
+        assertNotNull(jsonNode);
+        System.clearProperty("maxYamlCodePoints");
+    }
+
+    @Test
+    public void largeFileShouldNotBeParsedByJacksonLibraryWhenCodeLimitIsNotSet() throws Exception {
+        ReferenceVisitor visitor = new ReferenceVisitor(null, null, null, null);
+        String resourceName = "/issue2059/largeFile.yaml";
+        String content = readResourceAsString(resourceName);
+
+        try {
+            visitor.deserializeIntoTree(content);
+            // Fail if no exception is thrown
+            org.testng.Assert.fail("Expected YAMLException was not thrown");
+        } catch (YAMLException ex) {
+            org.testng.Assert.assertTrue(
+                    ex.getMessage() != null &&
+                            ex.getMessage().contains("The incoming YAML document exceeds the limit: 3145728 code points."),
+                    "Unexpected YAMLException message: " + ex.getMessage()
+            );
+        }
+    }
+
+    private String readResourceAsString(String resourceName) throws IOException {
+        try (InputStream is = this.getClass().getResourceAsStream(resourceName)) {
+            if (is == null) {
+                throw new IOException("Resource not found: " + resourceName);
+            }
+            java.io.ByteArrayOutputStream buffer = new java.io.ByteArrayOutputStream();
+            byte[] data = new byte[4096];
+            int nRead;
+            while ((nRead = is.read(data, 0, data.length)) != -1) {
+                buffer.write(data, 0, nRead);
+            }
+            return new String(buffer.toByteArray(), StandardCharsets.UTF_8);
+        }
+    }
+}
diff --git a/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/test/OpenAPIV3ParserTest.java b/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/test/OpenAPIV3ParserTest.java
diff --git a/modules/swagger-parser-v3/src/test/resources/issue2059/largeFile.yaml b/modules/swagger-parser-v3/src/test/resources/issue2059/largeFile.yaml

Original file line number	Diff line number	Diff line change
`@@ -79,11 +79,11 @@ public void setYamlCycleCheck(boolean yamlCycleCheck) {`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`public Integer getMaxYamlCodePoints() {`
`82`		`- return maxYamlCodePoints;`
	`82`	`+ return maxYamlCodePoints;`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`public void setMaxYamlCodePoints(Integer maxYamlCodePoints) {`
`86`		`- this.maxYamlCodePoints = maxYamlCodePoints;`
	`86`	`+ this.maxYamlCodePoints = maxYamlCodePoints;`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`public Integer getMaxYamlAliasesForCollections() {`
`@@ -103,7 +103,7 @@ public void setYamlAllowRecursiveKeys(boolean yamlAllowRecursiveKeys) {`
`103`	`103`	`}`
`104`	`104`	`}`
`105`	`105`
`106`		`- private static Options options = new Options();`
	`106`	`+ private static final Options options = new Options();`
`107`	`107`
`108`	`108`	`private static final Logger LOGGER = LoggerFactory.getLogger(DeserializationUtils.class);`
`109`	`109`
`@@ -145,7 +145,6 @@ protected void addImplicitResolvers() {`
`145`	`145`	`addImplicitResolver(Tag.MERGE, MERGE, "<");`
`146`	`146`	`addImplicitResolver(Tag.NULL, NULL, "~nN\0");`
`147`	`147`	`addImplicitResolver(Tag.NULL, EMPTY, null);`
`148`		`- // addImplicitResolver(Tag.TIMESTAMP, TIMESTAMP, "0123456789");`
`149`	`148`	`}`
`150`	`149`	`}`
`151`	`150`
`@@ -249,15 +248,15 @@ public static JsonNode readYamlTree(String contents, ParseOptions parseOptions,`
`249`	`248`	`return Json.mapper().convertValue(yaml.load(contents), JsonNode.class);`
`250`	`249`	`}`
`251`	`250`	`try {`
`252`		`- org.yaml.snakeyaml.Yaml yaml = null;`
	`251`	`+ org.yaml.snakeyaml.Yaml yaml;`
`253`	`252`	`if (options.isValidateYamlInput()) {`
`254`	`253`	`yaml = buildSnakeYaml(new CustomSnakeYamlConstructor());`
`255`	`254`	`} else {`
`256`	`255`	`yaml = buildSnakeYaml(new SafeConstructor(buildLoaderOptions()));`
`257`	`256`	`}`
`258`	`257`	`Object o = yaml.load(contents);`
`259`	`258`	`if (options.isValidateYamlInput()) {`
`260`		`- boolean res = exceedsLimits(o, null, new Integer(0), new IdentityHashMap<Object, Long>(), deserializationUtilsResult);`
	`259`	`+ boolean res = exceedsLimits(o, null, 0, new IdentityHashMap<>(), deserializationUtilsResult);`
`261`	`260`	`if (res) {`
`262`	`261`	`LOGGER.warn("Error converting snake-parsed yaml to JsonNode");`
`263`	`262`	`return getYaml30Mapper().readTree(contents);`
`@@ -270,8 +269,8 @@ public static JsonNode readYamlTree(String contents, ParseOptions parseOptions,`
`270`	`269`	`//`
`271`	`270`	`}`
`272`	`271`	`return Json.mapper().convertValue(o, JsonNode.class);`
`273`		`- } catch (Throwable e) {`
`274`		`- LOGGER.warn("Error snake-parsing yaml content", e);`
	`272`	`+ } catch (Exception e) {`
	`273`	`+ LOGGER.warn(e.getMessage(), e);`
`275`	`274`	`if (deserializationUtilsResult != null) {`
`276`	`275`	`deserializationUtilsResult.message(e.getMessage());`
`277`	`276`	`}`
`@@ -302,8 +301,7 @@ public static org.yaml.snakeyaml.Yaml buildSnakeYaml(BaseConstructor constructor`
`302`	`301`	`}`
`303`	`302`	`try {`
`304`	`303`	`LoaderOptions loaderOptions = buildLoaderOptions();`
`305`		`- org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml(constructor, new Representer(new DumperOptions()), new DumperOptions(), loaderOptions, new CustomResolver());`
`306`		`- return yaml;`
	`304`	`+ return new org.yaml.snakeyaml.Yaml(constructor, new Representer(new DumperOptions()), new DumperOptions(), loaderOptions, new CustomResolver());`
`307`	`305`	`} catch (Exception e) {`
`308`	`306`	`//`
`309`	`307`	`LOGGER.error("error building snakeYaml", e);`
`@@ -479,8 +477,8 @@ public Object getSingleData(Class<?> type) {`
`479`	`477`	`throw new SnakeException("StackOverflow safe-checking yaml content (maxDepth " + options.getMaxYamlDepth() + ")", e);`
`480`	`478`	`} catch (DuplicateKeyException e) {`
`481`	`479`	`throw new SnakeException(e.getProblem().replace("found duplicate key", "Duplicate field"));`
`482`		`- } catch (Throwable e) {`
`483`		`- throw new SnakeException("Exception safe-checking yaml content (maxDepth " + options.getMaxYamlDepth() + ", maxYamlAliasesForCollections " + options.getMaxYamlAliasesForCollections() + ")", e);`
	`480`	`+ } catch (Exception e) {`
	`481`	`+ throw new SnakeException(e.getMessage() + "; Max code points: " + options.getMaxYamlCodePoints(), e);`
`484`	`482`	`}`
`485`	`483`	`}`
`486`	`484`	`}`