Skip to content

[DRAFT] deep nesting check #576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

[DRAFT] deep nesting check #576

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5999766
deep nesting check
pjfanning Mar 5, 2023
95afa10
refactor
pjfanning Mar 5, 2023
2b503bf
Create DeepNestingParserTest.java
pjfanning Mar 5, 2023
affcd29
Update DeepNestingParserTest.java
pjfanning Mar 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 22 additions & 12 deletions src/main/java/com/fasterxml/jackson/dataformat/xml/deser/FromXmlParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -685,10 +685,10 @@ public JsonToken nextToken() throws IOException

switch (t) {
case START_OBJECT:
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
break;
case START_ARRAY:
_parsingContext = _parsingContext.createChildArrayContext(-1, -1);
createChildArrayContext(-1, -1);
break;
case END_OBJECT:
case END_ARRAY:
Expand Down Expand Up @@ -721,7 +721,7 @@ public JsonToken nextToken() throws IOException
if (_mayBeLeaf) {
// leave _mayBeLeaf set, as we start a new context
_nextToken = JsonToken.FIELD_NAME;
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
return (_currToken = JsonToken.START_OBJECT);
}
if (_parsingContext.inArray()) {
Expand Down Expand Up @@ -757,7 +757,7 @@ public JsonToken nextToken() throws IOException
// 06-Jan-2015, tatu: as per [dataformat-xml#180], need to
// expose as empty Object, not null
_nextToken = JsonToken.END_OBJECT;
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
return (_currToken = JsonToken.START_OBJECT);
}
// 07-Sep-2019, tatu: for [dataformat-xml#353], must NOT return second null
Expand All @@ -777,7 +777,7 @@ public JsonToken nextToken() throws IOException
_mayBeLeaf = false;
_nextToken = JsonToken.FIELD_NAME;
_currText = _xmlTokens.getText();
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
return (_currToken = JsonToken.START_OBJECT);
}
_parsingContext.setCurrentName(_xmlTokens.getLocalName());
Expand Down Expand Up @@ -807,7 +807,7 @@ public JsonToken nextToken() throws IOException
// expose as empty Object, not null (or, worse, as used to
// be done, by swallowing the token)
_nextToken = JsonToken.END_OBJECT;
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
return (_currToken = JsonToken.START_OBJECT);
}
}
Expand All @@ -821,7 +821,7 @@ public JsonToken nextToken() throws IOException
// fall-through, except must create new context AND push back
// START_ELEMENT we just saw:
_xmlTokens.pushbackCurrentToken();
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
}
// [dataformat-xml#177]: empty text may also need to be skipped
// but... [dataformat-xml#191]: looks like we can't short-cut, must
Expand Down Expand Up @@ -908,7 +908,7 @@ public String nextTextValue() throws IOException
while (token == XmlTokenStream.XML_START_ELEMENT) {
if (_mayBeLeaf) {
_nextToken = JsonToken.FIELD_NAME;
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
_currToken = JsonToken.START_OBJECT;
return null;
}
Expand Down Expand Up @@ -948,7 +948,7 @@ public String nextTextValue() throws IOException
_mayBeLeaf = false;
_nextToken = JsonToken.FIELD_NAME;
_currText = _xmlTokens.getText();
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
_currToken = JsonToken.START_OBJECT;
} else {
_parsingContext.setCurrentName(_xmlTokens.getLocalName());
Expand Down Expand Up @@ -987,14 +987,14 @@ public String nextTextValue() throws IOException
}


private void _updateState(JsonToken t)
private void _updateState(JsonToken t) throws IOException
{
switch (t) {
case START_OBJECT:
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
createChildObjectContext(-1, -1);
break;
case START_ARRAY:
_parsingContext = _parsingContext.createChildArrayContext(-1, -1);
createChildArrayContext(-1, -1);
break;
case END_OBJECT:
case END_ARRAY:
Expand Down Expand Up @@ -1424,4 +1424,14 @@ protected void _skipEndElement() throws IOException {
throw new JsonParseException(this, e.getMessage(), e);
}
}

private void createChildArrayContext(final int lineNr, final int colNr) throws IOException {
_parsingContext = _parsingContext.createChildArrayContext(lineNr, colNr);
_streamReadConstraints.validateNestingDepth(_parsingContext.getNestingDepth());
}

private void createChildObjectContext(final int lineNr, final int colNr) throws IOException {
_parsingContext = _parsingContext.createChildObjectContext(lineNr, colNr);
_streamReadConstraints.validateNestingDepth(_parsingContext.getNestingDepth());
}
}
1 change: 1 addition & 0 deletions src/main/java/com/fasterxml/jackson/dataformat/xml/deser/XmlReadContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ public XmlReadContext(XmlReadContext parent, int type, int lineNr, int colNr)
_lineNr = lineNr;
_columnNr = colNr;
_index = -1;
_nestingDepth = parent == null ? 0 : parent._nestingDepth + 1;
}

protected final void reset(int type, int lineNr, int colNr)
Expand Down
55 changes: 55 additions & 0 deletions src/test/java/com/fasterxml/jackson/dataformat/xml/stream/dos/DeepNestingParserTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
package com.fasterxml.jackson.dataformat.xml.stream.dos;

import com.ctc.wstx.stax.WstxInputFactory;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonToken;
import com.fasterxml.jackson.dataformat.xml.XmlMapper;
import com.fasterxml.jackson.dataformat.xml.XmlTestBase;

public class DeepNestingParserTest extends XmlTestBase {


public void testDeepDoc() throws Exception
{
final XmlMapper xmlMapper = newMapper();
final String XML = createDeepNestedDoc(1050);
try (JsonParser p = xmlMapper.createParser(XML)) {
JsonToken jt;
while ((jt = p.nextToken()) != null) {

}
fail("expected JsonParseException");
} catch (JsonParseException e) {
assertEquals("Maximum Element Depth limit (1000) Exceeded", e.getMessage());
}
}

public void testDeepDocWithCustomDepthLimit() throws Exception
{
final WstxInputFactory wstxInputFactory = new WstxInputFactory();
wstxInputFactory.getConfig().setMaxElementDepth(2000);
final XmlMapper xmlMapper = new XmlMapper(wstxInputFactory);
final String XML = createDeepNestedDoc(1050);
try (JsonParser p = xmlMapper.createParser(XML)) {
JsonToken jt;
while ((jt = p.nextToken()) != null) {

}
}
}

private String createDeepNestedDoc(final int depth) {
StringBuilder sb = new StringBuilder();
sb.append("<root>");
for (int i = 0; i < depth; i++) {
sb.append("<leaf>");
}
sb.append("abc");
for (int i = 0; i < depth; i++) {
sb.append("</leaf>");
}
sb.append("</root>");
return sb.toString();
}
}