fix: Add HTTP JSON parsing recursion depth limit (#8172)

Author: pskiran1

qa/L0_http/http_test.py

@@ -1,5 +1,5 @@
 #!/usr/bin/python
-# Copyright 2022-2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# Copyright 2022-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -273,6 +273,55 @@ def test_loading_large_invalid_model(self):
         except ValueError:
             self.fail("Response is not valid JSON")
 
+    def test_json_recursion_depth_limit(self):
+        """Test that server properly handles and rejects deeply nested JSON."""
+
+        def create_nested_json(depth, value):
+            for _ in range(depth):
+                value = f"[{value}]"
+            return json.loads(value)
+
+        headers = {"Content-Type": "application/json"}
+        test_matrix = [
+            # (datatype, data, model, json_depth, should_succeed)
+            ("BYTES", '"hello"', "simple_identity", 120, False),
+            ("BYTES", '"hello"', "simple_identity", 50, True),
+            ("INT64", "123", "simple_identity_int64", 120, False),
+            ("INT64", "123", "simple_identity_int64", 50, True),
+        ]
+
+        for dtype, data, model, json_depth, should_succeed in test_matrix:
+            with self.subTest(
+                datatype=dtype, depth=json_depth, should_succeed=should_succeed
+            ):
+                payload = {
+                    "inputs": [
+                        {
+                            "name": "INPUT0",
+                            "datatype": dtype,
+                            "shape": [1, 1],
+                            "data": create_nested_json(json_depth, data),
+                        }
+                    ]
+                }
+
+                response = requests.post(
+                    self._get_infer_url(model), headers=headers, json=payload
+                )
+
+                if should_succeed:
+                    self.assertEqual(response.status_code, 200)
+                else:
+                    self.assertNotEqual(response.status_code, 200)
+                    try:
+                        error_message = response.json().get("error", "")
+                        self.assertIn(
+                            "JSON nesting depth exceeds maximum allowed limit (100)",
+                            error_message,
+                        )
+                    except ValueError:
+                        self.fail("Response is not valid JSON")
+
 
 if __name__ == "__main__":
     unittest.main()

qa/L0_http/test.sh

@@ -612,6 +612,12 @@ cp -r ${MODELDIR}/onnx_zero_1_float32 ${MODELDIR}/onnx_zero_1_float32_queue && \
         echo "    }" >> config.pbtxt && \
         echo "}" >> config.pbtxt)
 
+cp -r ./models/simple_identity ${MODELDIR}
+cp -r ./models/simple_identity ${MODELDIR}/simple_identity_int64 && \
+    (cd $MODELDIR/simple_identity_int64 && \
+        sed -i "s/TYPE_STRING/TYPE_INT64/" config.pbtxt && \
+        sed -i "s/simple_identity/simple_identity_int64/" config.pbtxt)
+
 SERVER_ARGS="--backend-directory=${BACKEND_DIR} --model-repository=${MODELDIR}"
 SERVER_LOG="./inference_server_http_test.log"
 CLIENT_LOG="./http_test.log"
@@ -624,7 +630,7 @@ fi
 
 TEST_RESULT_FILE='test_results.txt'
 PYTHON_TEST=http_test.py
-EXPECTED_NUM_TESTS=10
+EXPECTED_NUM_TESTS=11
 set +e
 python $PYTHON_TEST >$CLIENT_LOG 2>&1
 if [ $? -ne 0 ]; then

src/common.h

@@ -1,4 +1,4 @@
-// Copyright 2019-2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// Copyright 2019-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions
@@ -51,6 +51,9 @@ constexpr int MAX_GRPC_MESSAGE_SIZE = INT32_MAX;
 /// dimension can take on any size.
 constexpr int WILDCARD_DIM = -1;
 
+// Maximum allowed depth for JSON parsing
+constexpr int32_t HTTP_MAX_JSON_NESTING_DEPTH = 100;
+
 /// Request parameter keys that start with a "triton_" prefix for internal use
 const std::vector<std::string> TRITON_RESERVED_REQUEST_PARAMS{
     "triton_enable_empty_final_response"};

src/http_server.cc

@@ -437,16 +437,26 @@ AllocEVBuffer(const size_t byte_size, evbuffer** evb, void** base)
 // Recursively adds to byte_size from multi dimensional data input
 TRITONSERVER_Error*
 JsonBytesArrayByteSize(
-    triton::common::TritonJson::Value& tensor_data, size_t* byte_size)
+    triton::common::TritonJson::Value& tensor_data, size_t* byte_size,
+    int current_depth = 0)
 {
+  if (current_depth >= HTTP_MAX_JSON_NESTING_DEPTH) {
+    return TRITONSERVER_ErrorNew(
+        TRITONSERVER_ERROR_INVALID_ARG,
+        ("JSON nesting depth exceeds maximum allowed "
+         "limit (" +
+         std::to_string(HTTP_MAX_JSON_NESTING_DEPTH) + ")")
+            .c_str());
+  }
+
   *byte_size = 0;
   // Recurse if not last dimension...
   if (tensor_data.IsArray()) {
     for (size_t i = 0; i < tensor_data.ArraySize(); i++) {
       triton::common::TritonJson::Value el;
       RETURN_IF_ERR(tensor_data.At(i, &el));
       size_t byte_size_;
-      RETURN_IF_ERR(JsonBytesArrayByteSize(el, &byte_size_));
+      RETURN_IF_ERR(JsonBytesArrayByteSize(el, &byte_size_, current_depth + 1));
       *byte_size += byte_size_;
     }
   } else {
@@ -466,20 +476,29 @@ TRITONSERVER_Error*
 ReadDataFromJsonHelper(
     char* base, const TRITONSERVER_DataType dtype,
     triton::common::TritonJson::Value& tensor_data, int* counter,
-    int64_t expected_cnt)
+    int64_t expected_cnt, int current_depth = 0)
 {
   // FIXME should move 'switch' statement outside the recursive function and
   // pass in a read data callback once data type is confirmed.
   // Currently 'switch' is performed on each element even through all elements
   // have the same data type.
 
+  if (current_depth >= HTTP_MAX_JSON_NESTING_DEPTH) {
+    return TRITONSERVER_ErrorNew(
+        TRITONSERVER_ERROR_INVALID_ARG,
+        ("JSON nesting depth exceeds maximum allowed "
+         "limit (" +
+         std::to_string(HTTP_MAX_JSON_NESTING_DEPTH) + ")")
+            .c_str());
+  }
+
   // Recurse on array element if not last dimension...
   if (tensor_data.IsArray()) {
     for (size_t i = 0; i < tensor_data.ArraySize(); i++) {
       triton::common::TritonJson::Value el;
       RETURN_IF_ERR(tensor_data.At(i, &el));
-      RETURN_IF_ERR(
-          ReadDataFromJsonHelper(base, dtype, el, counter, expected_cnt));
+      RETURN_IF_ERR(ReadDataFromJsonHelper(
+          base, dtype, el, counter, expected_cnt, current_depth + 1));
     }
   } else {
     // Check if writing to 'serialized' is overrunning the expected byte_size