Skip to content

Commit d78d00e

Browse files
cowtowncodercowtowncoder
committed
Fix #3590 
1 parent 7ef87cb commit d78d00e

File tree

3 files changed

+137
-12
lines changed

3 files changed

+137
-12
lines changed

release-notes/VERSION-2.x

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ Project: jackson-databind
5757
#3559: Support `null`-valued `Map` fields with "any setter"
5858
#3568: Change `JsonNode.with(String)` and `withArray(String)` to consider
5959
argument as `JsonPointer` if valid expression
60+
#3590: Add check in primitive value deserializers to avoid deep wrapper array
61+
nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS`
6062

6163
2.13.4 (03-Sep-2022)
6264

src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java

Lines changed: 40 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -357,12 +357,8 @@ protected T _deserializeWrappedValue(JsonParser p, DeserializationContext ctxt)
357357
// 23-Mar-2017, tatu: Let's specifically block recursive resolution to avoid
358358
// either supporting nested arrays, or to cause infinite looping.
359359
if (p.hasToken(JsonToken.START_ARRAY)) {
360-
String msg = String.format(
361-
"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
362-
ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
363-
"DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
364360
@SuppressWarnings("unchecked")
365-
T result = (T) ctxt.handleUnexpectedToken(getValueType(ctxt), p.currentToken(), p, msg);
361+
T result = (T) handleNestedArrayForSingle(p, ctxt);
366362
return result;
367363
}
368364
return (T) deserialize(p, ctxt);
@@ -413,7 +409,9 @@ protected final boolean _parseBooleanPrimitive(JsonParser p, DeserializationCont
413409
case JsonTokenId.ID_START_ARRAY:
414410
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
415411
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
416-
p.nextToken();
412+
if (p.nextToken() == JsonToken.START_ARRAY) {
413+
return (boolean) handleNestedArrayForSingle(p, ctxt);
414+
}
417415
final boolean parsed = _parseBooleanPrimitive(p, ctxt);
418416
_verifyEndArrayForSingle(p, ctxt);
419417
return parsed;
@@ -582,7 +580,9 @@ protected final byte _parseBytePrimitive(JsonParser p, DeserializationContext ct
582580
case JsonTokenId.ID_START_ARRAY: // unwrapping / from-empty-array coercion?
583581
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
584582
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
585-
p.nextToken();
583+
if (p.nextToken() == JsonToken.START_ARRAY) {
584+
return (byte) handleNestedArrayForSingle(p, ctxt);
585+
}
586586
final byte parsed = _parseBytePrimitive(p, ctxt);
587587
_verifyEndArrayForSingle(p, ctxt);
588588
return parsed;
@@ -652,7 +652,9 @@ protected final short _parseShortPrimitive(JsonParser p, DeserializationContext
652652
case JsonTokenId.ID_START_ARRAY:
653653
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
654654
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
655-
p.nextToken();
655+
if (p.nextToken() == JsonToken.START_ARRAY) {
656+
return (short) handleNestedArrayForSingle(p, ctxt);
657+
}
656658
final short parsed = _parseShortPrimitive(p, ctxt);
657659
_verifyEndArrayForSingle(p, ctxt);
658660
return parsed;
@@ -719,7 +721,9 @@ protected final int _parseIntPrimitive(JsonParser p, DeserializationContext ctxt
719721
break;
720722
case JsonTokenId.ID_START_ARRAY:
721723
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
722-
p.nextToken();
724+
if (p.nextToken() == JsonToken.START_ARRAY) {
725+
return (int) handleNestedArrayForSingle(p, ctxt);
726+
}
723727
final int parsed = _parseIntPrimitive(p, ctxt);
724728
_verifyEndArrayForSingle(p, ctxt);
725729
return parsed;
@@ -870,7 +874,9 @@ protected final long _parseLongPrimitive(JsonParser p, DeserializationContext ct
870874
break;
871875
case JsonTokenId.ID_START_ARRAY:
872876
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
873-
p.nextToken();
877+
if (p.nextToken() == JsonToken.START_ARRAY) {
878+
return (long) handleNestedArrayForSingle(p, ctxt);
879+
}
874880
final long parsed = _parseLongPrimitive(p, ctxt);
875881
_verifyEndArrayForSingle(p, ctxt);
876882
return parsed;
@@ -1003,7 +1009,9 @@ protected final float _parseFloatPrimitive(JsonParser p, DeserializationContext
10031009
break;
10041010
case JsonTokenId.ID_START_ARRAY:
10051011
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
1006-
p.nextToken();
1012+
if (p.nextToken() == JsonToken.START_ARRAY) {
1013+
return (float) handleNestedArrayForSingle(p, ctxt);
1014+
}
10071015
final float parsed = _parseFloatPrimitive(p, ctxt);
10081016
_verifyEndArrayForSingle(p, ctxt);
10091017
return parsed;
@@ -1132,7 +1140,9 @@ protected final double _parseDoublePrimitive(JsonParser p, DeserializationContex
11321140
break;
11331141
case JsonTokenId.ID_START_ARRAY:
11341142
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
1135-
p.nextToken();
1143+
if (p.nextToken() == JsonToken.START_ARRAY) {
1144+
return (double) handleNestedArrayForSingle(p, ctxt);
1145+
}
11361146
final double parsed = _parseDoublePrimitive(p, ctxt);
11371147
_verifyEndArrayForSingle(p, ctxt);
11381148
return parsed;
@@ -1313,6 +1323,9 @@ protected java.util.Date _parseDateFromArray(JsonParser p, DeserializationContex
13131323
default:
13141324
}
13151325
} else if (unwrap) {
1326+
if (t == JsonToken.START_ARRAY) {
1327+
return (java.util.Date) handleNestedArrayForSingle(p, ctxt);
1328+
}
13161329
final Date parsed = _parseDate(p, ctxt);
13171330
_verifyEndArrayForSingle(p, ctxt);
13181331
return parsed;
@@ -2109,6 +2122,21 @@ protected void handleMissingEndArrayForSingle(JsonParser p, DeserializationConte
21092122
// but for now just fall through
21102123
}
21112124

2125+
/**
2126+
* Helper method called when detecting a deep(er) nesting of Arrays when trying
2127+
* to unwrap value for {@code DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS}.
2128+
*
2129+
* @since 2.14
2130+
*/
2131+
protected Object handleNestedArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
2132+
{
2133+
String msg = String.format(
2134+
"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
2135+
ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
2136+
"DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
2137+
return ctxt.handleUnexpectedToken(getValueType(ctxt), p.currentToken(), p, msg);
2138+
}
2139+
21122140
protected void _verifyEndArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
21132141
{
21142142
JsonToken t = p.nextToken();

src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
package com.fasterxml.jackson.databind.deser.dos;
2+
3+
import java.util.Date;
4+
5+
import com.fasterxml.jackson.databind.*;
6+
import com.fasterxml.jackson.databind.exc.MismatchedInputException;
7+
8+
public class DeepArrayWrappingForDeser3590Test extends BaseMapTest
9+
{
10+
// 05-Sep-2022, tatu: Before fix, failed with 5000
11+
private final static int TOO_DEEP_NESTING = 9999;
12+
13+
private final ObjectMapper MAPPER = jsonMapperBuilder()
14+
.enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)
15+
.build();
16+
17+
private final static String TOO_DEEP_DOC = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "123");
18+
19+
public void testArrayWrappingForBoolean() throws Exception
20+
{
21+
_testArrayWrappingFor(Boolean.class);
22+
_testArrayWrappingFor(Boolean.TYPE);
23+
}
24+
25+
public void testArrayWrappingForByte() throws Exception
26+
{
27+
_testArrayWrappingFor(Byte.class);
28+
_testArrayWrappingFor(Byte.TYPE);
29+
}
30+
31+
public void testArrayWrappingForShort() throws Exception
32+
{
33+
_testArrayWrappingFor(Short.class);
34+
_testArrayWrappingFor(Short.TYPE);
35+
}
36+
37+
public void testArrayWrappingForInt() throws Exception
38+
{
39+
_testArrayWrappingFor(Integer.class);
40+
_testArrayWrappingFor(Integer.TYPE);
41+
}
42+
43+
public void testArrayWrappingForLong() throws Exception
44+
{
45+
_testArrayWrappingFor(Long.class);
46+
_testArrayWrappingFor(Long.TYPE);
47+
}
48+
49+
public void testArrayWrappingForFloat() throws Exception
50+
{
51+
_testArrayWrappingFor(Float.class);
52+
_testArrayWrappingFor(Float.TYPE);
53+
}
54+
55+
public void testArrayWrappingForDouble() throws Exception
56+
{
57+
_testArrayWrappingFor(Double.class);
58+
_testArrayWrappingFor(Double.TYPE);
59+
}
60+
61+
public void testArrayWrappingForDate() throws Exception
62+
{
63+
_testArrayWrappingFor(Date.class);
64+
}
65+
66+
private void _testArrayWrappingFor(Class<?> cls) throws Exception
67+
{
68+
try {
69+
MAPPER.readValue(TOO_DEEP_DOC, cls);
70+
fail("Should not pass");
71+
} catch (MismatchedInputException e) {
72+
verifyException(e, "Cannot deserialize");
73+
verifyException(e, "nested Arrays not allowed");
74+
}
75+
}
76+
77+
private static String _nestedDoc(int nesting, String open, String close, String content) {
78+
StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
79+
for (int i = 0; i < nesting; ++i) {
80+
sb.append(open);
81+
if ((i & 31) == 0) {
82+
sb.append("\n");
83+
}
84+
}
85+
sb.append("\n").append(content).append("\n");
86+
for (int i = 0; i < nesting; ++i) {
87+
sb.append(close);
88+
if ((i & 31) == 0) {
89+
sb.append("\n");
90+
}
91+
}
92+
return sb.toString();
93+
}
94+
95+
}

0 commit comments

Comments
 (0)