seq: Allow overlapping between list items and other items

Example of such XML:

  <item/>
  <another-item/>
  <item/>
  <item/>

Here we need to skip `<another-item/>` in order to collect all `<item/>`s.
So ability to skip events and replay them later was added

This fixes all remaining tests

Co-authored-by: Daniel Alley <[email protected]>

Author: Mingun

.github/workflows/rust.yml

@@ -40,6 +40,10 @@ jobs:
       env:
         LLVM_PROFILE_FILE: coverage/serialize-escape-html-%p-%m.profraw
       run: cargo test --features serialize,escape-html
+    - name: Run tests (all features)
+      env:
+        LLVM_PROFILE_FILE: coverage/all-features-%p-%m.profraw
+      run: cargo test --all-features
     - name: Prepare coverage information for upload
       if: runner.os == 'Linux'
       # --token is required by grcov, but not required by coveralls.io, so pass

Cargo.toml

@@ -42,6 +42,46 @@ default = []
 ## [standard compliant]: https://www.w3.org/TR/xml11/#charencoding
 encoding = ["encoding_rs"]
 
+## This feature enables support for deserializing lists where tags are overlapped
+## with tags that do not correspond to the list.
+##
+## When this feature is enabled, the XML:
+## ```xml
+## <any-name>
+##   <item/>
+##   <another-item/>
+##   <item/>
+##   <item/>
+## </any-name>
+## ```
+## could be deserialized to a struct:
+## ```ignore
+## #[derive(Deserialize)]
+## #[serde(rename_all = "kebab-case")]
+## struct AnyName {
+##   item: Vec<()>,
+##   another_item: (),
+## }
+## ```
+##
+## When this feature is not enabled (default), only the first element will be
+## associated with the field, and the deserialized type will report an error
+## (duplicated field) when the deserializer encounters a second `<item/>`.
+##
+## Note, that enabling this feature can lead to high and even unlimited memory
+## consumption, because deserializer should check all events up to the end of a
+## container tag (`</any-name>` in that example) to figure out that there are no
+## more items for a field. If `</any-name>` or even EOF is not encountered, the
+## parsing will never end which can lead to a denial-of-service (DoS) scenario.
+##
+## Having several lists and overlapped elements for them in XML could also lead
+## to quadratic parsing time, because the deserializer must check the list of
+## events as many times as the number of sequence fields present in the schema.
+##
+## This feature works only with `serialize` feature and has no effect if `serialize`
+## is not enabled.
+overlapped-lists = []
+
 ## Enables support for [`serde`] serialization and deserialization
 serialize = ["serde"]
 

Changelog.md

@@ -10,6 +10,11 @@
 
 ## Unreleased
 
+### New Features
+
+- [#387]: Allow overlapping between elements of sequence and other elements
+  (using new feature `overlapped-lists`)
+
 ### Bug Fixes
 
 - [#9]: Deserialization erroneously was successful in some cases where error is expected.

src/de/map.rs

@@ -105,6 +105,9 @@ enum ValueSource {
     /// [list of known fields]: MapAccess::fields
     Content,
     /// Next value should be deserialized from an element with a dedicated name.
+    /// If deserialized type is a sequence, then that sequence will collect all
+    /// elements with the same name until it will be filled. If not all elements
+    /// would be consumed, the rest will be ignored.
     ///
     /// That state is set when call to [`peek()`] returns a [`Start`] event, which
     /// [`name()`] represents a field name. That name will be deserialized as a key.
@@ -569,7 +572,11 @@ where
     map: &'m mut MapAccess<'de, 'a, R>,
     /// Filter that determines whether a tag is a part of this sequence.
     ///
-    /// Iteration will stop when found a tag that does not pass this filter.
+    /// When feature `overlapped-lists` is not activated, iteration will stop
+    /// when found a tag that does not pass this filter.
+    ///
+    /// When feature `overlapped-lists` is activated, all tags, that not pass
+    /// this check, will be skipped.
     filter: TagFilter<'de>,
 }
 
@@ -584,20 +591,29 @@ where
         T: DeserializeSeed<'de>,
     {
         let decoder = self.map.de.reader.decoder();
-        match self.map.de.peek()? {
-            // Stop iteration when list elements ends
-            DeEvent::Start(e) if !self.filter.is_suitable(&e, decoder)? => Ok(None),
+        loop {
+            break match self.map.de.peek()? {
+                // If we see a tag that we not interested, skip it
+                #[cfg(feature = "overlapped-lists")]
+                DeEvent::Start(e) if !self.filter.is_suitable(&e, decoder)? => {
+                    self.map.de.skip()?;
+                    continue;
+                }
+                // Stop iteration when list elements ends
+                #[cfg(not(feature = "overlapped-lists"))]
+                DeEvent::Start(e) if !self.filter.is_suitable(&e, decoder)? => Ok(None),
 
-            // Stop iteration after reaching a closing tag
-            DeEvent::End(e) if e.name() == self.map.start.name() => Ok(None),
-            // This is a unmatched closing tag, so the XML is invalid
-            DeEvent::End(e) => Err(DeError::UnexpectedEnd(e.name().to_owned())),
-            // We cannot get `Eof` legally, because we always inside of the
-            // opened tag `self.map.start`
-            DeEvent::Eof => Err(DeError::UnexpectedEof),
+                // Stop iteration after reaching a closing tag
+                DeEvent::End(e) if e.name() == self.map.start.name() => Ok(None),
+                // This is a unmatched closing tag, so the XML is invalid
+                DeEvent::End(e) => Err(DeError::UnexpectedEnd(e.name().to_owned())),
+                // We cannot get `Eof` legally, because we always inside of the
+                // opened tag `self.map.start`
+                DeEvent::Eof => Err(DeError::UnexpectedEof),
 
-            // Start(tag), Text, CData
-            _ => seed.deserialize(&mut *self.map.de).map(Some),
+                // Start(tag), Text, CData
+                _ => seed.deserialize(&mut *self.map.de).map(Some),
+            };
         }
     }
 }