Fix #4011: add maximum length, nesting limits for canonical type definitions (#4013)

cowtowncoder · web-flow · commit 9684204f3073 · 2023-07-04T20:22:00.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -27,6 +27,7 @@ Project: jackson-databind
   on serialization
 #4008: Optimize `ObjectNode` findValue(s) and findParent(s) fast paths
  (contributed by David S)
+#4011: Add guardrail setting for `TypeParser` handling of type parameters
 
 2.15.3 (not yet released)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/type/TypeParser.java b/src/main/java/com/fasterxml/jackson/databind/type/TypeParser.java
@@ -14,6 +14,22 @@ public class TypeParser
 {
     private static final long serialVersionUID = 1L;
 
+    /**
+     * Maximum length of canonical type definition we will try to parse.
+     * Used as protection for malformed generic type declarations.
+     *
+     * @since 2.16
+     */
+    protected static final int MAX_TYPE_LENGTH = 64_000;
+
+    /**
+     * Maximum levels of nesting allowed for parameterized types.
+     * Used as protection for malformed generic type declarations.
+     *
+     * @since 2.16
+     */
+    protected static final int MAX_TYPE_NESTING = 1000;
+
     protected final TypeFactory _factory;
 
     public TypeParser(TypeFactory f) {
@@ -29,16 +45,24 @@ public TypeParser withFactory(TypeFactory f) {
 
     public JavaType parse(String canonical) throws IllegalArgumentException
     {
+        if (canonical.length() > MAX_TYPE_LENGTH) {
+            throw new IllegalArgumentException(String.format(
+                    "Failed to parse type %s: too long (%d characters), maximum length allowed: %d",
+                    _quoteTruncated(canonical),
+                    canonical.length(),
+                    MAX_TYPE_LENGTH));
+
+        }
         MyTokenizer tokens = new MyTokenizer(canonical.trim());
-        JavaType type = parseType(tokens);
+        JavaType type = parseType(tokens, MAX_TYPE_NESTING);
         // must be end, now
         if (tokens.hasMoreTokens()) {
             throw _problem(tokens, "Unexpected tokens after complete type");
         }
         return type;
     }
 
-    protected JavaType parseType(MyTokenizer tokens)
+    protected JavaType parseType(MyTokenizer tokens, int nestingAllowed)
         throws IllegalArgumentException
     {
         if (!tokens.hasMoreTokens()) {
@@ -50,7 +74,7 @@ protected JavaType parseType(MyTokenizer tokens)
         if (tokens.hasMoreTokens()) {
             String token = tokens.nextToken();
             if ("<".equals(token)) {
-                List<JavaType> parameterTypes = parseTypes(tokens);
+                List<JavaType> parameterTypes = parseTypes(tokens, nestingAllowed-1);
                 TypeBindings b = TypeBindings.create(base, parameterTypes);
                 return _factory._fromClass(null, base, b);
             }
@@ -60,12 +84,16 @@ protected JavaType parseType(MyTokenizer tokens)
         return _factory._fromClass(null, base, TypeBindings.emptyBindings());
     }
 
-    protected List<JavaType> parseTypes(MyTokenizer tokens)
+    protected List<JavaType> parseTypes(MyTokenizer tokens, int nestingAllowed)
         throws IllegalArgumentException
     {
+        if (nestingAllowed < 0) {
+            throw _problem(tokens, "too deeply nested; exceeds maximum of "
+                    +MAX_TYPE_NESTING+" nesting levels");
+        }
         ArrayList<JavaType> types = new ArrayList<JavaType>();
         while (tokens.hasMoreTokens()) {
-            types.add(parseType(tokens));
+            types.add(parseType(tokens, nestingAllowed));
             if (!tokens.hasMoreTokens()) break;
             String token = tokens.nextToken();
             if (">".equals(token)) return types;
@@ -88,10 +116,20 @@ protected Class<?> findClass(String className, MyTokenizer tokens)
 
     protected IllegalArgumentException _problem(MyTokenizer tokens, String msg)
     {
-        return new IllegalArgumentException(String.format("Failed to parse type '%s' (remaining: '%s'): %s",
-                tokens.getAllInput(), tokens.getRemainingInput(), msg));
+        return new IllegalArgumentException(String.format("Failed to parse type %s (remaining: %s): %s",
+                _quoteTruncated(tokens.getAllInput()),
+                _quoteTruncated(tokens.getRemainingInput()),
+                msg));
     }
 
+    private static String _quoteTruncated(String str) {
+        if (str.length() <= 1000) {
+            return "'"+str+"'";
+        }
+        return String.format("'%s...'[truncated %d charaters]",
+                str.substring(0, 1000), str.length() - 1000);
+    }
+    
     final static class MyTokenizer extends StringTokenizer
     {
         protected final String _input;
diff --git a/src/test/java/com/fasterxml/jackson/databind/type/TestTypeFactory.java b/src/test/java/com/fasterxml/jackson/databind/type/TestTypeFactory.java
@@ -8,6 +8,7 @@
 import com.fasterxml.jackson.databind.*;
 
 import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertThrows;
 
 /**
  * Simple tests to verify that the {@link TypeFactory} constructs
@@ -295,6 +296,40 @@ public void testCanonicalWithSpaces()
         assertEquals(t2, t1);
     }
 
+    // [databind#4011]
+    public void testMalicousCanonical()
+    {
+        final TypeFactory tf = TypeFactory.defaultInstance();
+
+        // First: too deep nesting
+        final int NESTING = TypeParser.MAX_TYPE_NESTING + 100;
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < NESTING; ++i) {
+            sb.append("java.util.List<");
+        }
+        sb.append("java.lang.String");
+        for (int i = 0; i < NESTING; ++i) {
+            sb.append('>');
+        }
+
+        final String deepCanonical = sb.toString();
+        Exception e = assertThrows(IllegalArgumentException.class,
+                   () -> tf.constructFromCanonical(deepCanonical));
+        verifyException(e, "too deeply nested");
+
+        // And second, too long in general
+        final int MAX_LEN = TypeParser.MAX_TYPE_LENGTH + 100;
+        sb = new StringBuilder().append("java.util.List<");
+        while (sb.length() < MAX_LEN) {
+            sb.append("java.lang.String,");
+        }
+        sb.append("java.lang.Integer>");
+        final String longCanonical = sb.toString();
+        e = assertThrows(IllegalArgumentException.class,
+                () -> tf.constructFromCanonical(longCanonical));
+         verifyException(e, "too long");
+    }
+
     /*
     /**********************************************************
     /* Unit tests: collection type parameter resolution
