1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
|
From: Markus Koschany <apo@debian.org>
Date: Tue, 15 Nov 2022 13:21:08 +0100
Subject: CVE-2022-42003
Origin: https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
---
.../databind/deser/std/StdDeserializer.java | 52 +++++++++---
.../dos/DeepArrayWrappingForDeser3590Test.java | 95 ++++++++++++++++++++++
2 files changed, 135 insertions(+), 12 deletions(-)
create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
index 4be658e..da3167c 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
@@ -357,12 +357,8 @@ public abstract class StdDeserializer<T>
// 23-Mar-2017, tatu: Let's specifically block recursive resolution to avoid
// either supporting nested arrays, or to cause infinite looping.
if (p.hasToken(JsonToken.START_ARRAY)) {
- String msg = String.format(
-"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
- ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
- "DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
@SuppressWarnings("unchecked")
- T result = (T) ctxt.handleUnexpectedToken(getValueType(ctxt), p.currentToken(), p, msg);
+ T result = (T) handleNestedArrayForSingle(p, ctxt);
return result;
}
return (T) deserialize(p, ctxt);
@@ -413,7 +409,9 @@ public abstract class StdDeserializer<T>
case JsonTokenId.ID_START_ARRAY:
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- p.nextToken();
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return (boolean) handleNestedArrayForSingle(p, ctxt);
+ }
final boolean parsed = _parseBooleanPrimitive(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -582,7 +580,9 @@ public abstract class StdDeserializer<T>
case JsonTokenId.ID_START_ARRAY: // unwrapping / from-empty-array coercion?
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- p.nextToken();
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return (byte) handleNestedArrayForSingle(p, ctxt);
+ }
final byte parsed = _parseBytePrimitive(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -650,7 +650,9 @@ public abstract class StdDeserializer<T>
case JsonTokenId.ID_START_ARRAY:
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- p.nextToken();
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return (short) handleNestedArrayForSingle(p, ctxt);
+ }
final short parsed = _parseShortPrimitive(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -715,7 +717,9 @@ public abstract class StdDeserializer<T>
break;
case JsonTokenId.ID_START_ARRAY:
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- p.nextToken();
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return (int) handleNestedArrayForSingle(p, ctxt);
+ }
final int parsed = _parseIntPrimitive(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -842,7 +846,9 @@ public abstract class StdDeserializer<T>
break;
case JsonTokenId.ID_START_ARRAY:
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- p.nextToken();
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return (long) handleNestedArrayForSingle(p, ctxt);
+ }
final long parsed = _parseLongPrimitive(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -953,7 +959,9 @@ public abstract class StdDeserializer<T>
break;
case JsonTokenId.ID_START_ARRAY:
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- p.nextToken();
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return (float) handleNestedArrayForSingle(p, ctxt);
+ }
final float parsed = _parseFloatPrimitive(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -1058,7 +1066,9 @@ public abstract class StdDeserializer<T>
break;
case JsonTokenId.ID_START_ARRAY:
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- p.nextToken();
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return (double) handleNestedArrayForSingle(p, ctxt);
+ }
final double parsed = _parseDoublePrimitive(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -1214,6 +1224,9 @@ public abstract class StdDeserializer<T>
default:
}
} else if (unwrap) {
+ if (t == JsonToken.START_ARRAY) {
+ return (java.util.Date) handleNestedArrayForSingle(p, ctxt);
+ }
final Date parsed = _parseDate(p, ctxt);
_verifyEndArrayForSingle(p, ctxt);
return parsed;
@@ -1990,6 +2003,21 @@ handledType().getName());
// but for now just fall through
}
+ /**
+ * Helper method called when detecting a deep(er) nesting of Arrays when trying
+ * to unwrap value for {@code DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS}.
+ *
+ * @since 2.14
+ */
+ protected Object handleNestedArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
+ {
+ String msg = String.format(
+"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
+ ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
+ "DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
+ return ctxt.handleUnexpectedToken(getValueType(ctxt), p.currentToken(), p, msg);
+ }
+
protected void _verifyEndArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
{
JsonToken t = p.nextToken();
diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
new file mode 100644
index 0000000..e5b0f1e
--- /dev/null
+++ b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
@@ -0,0 +1,95 @@
+package com.fasterxml.jackson.databind.deser.dos;
+
+import java.util.Date;
+
+import com.fasterxml.jackson.databind.*;
+import com.fasterxml.jackson.databind.exc.MismatchedInputException;
+
+public class DeepArrayWrappingForDeser3590Test extends BaseMapTest
+{
+ // 05-Sep-2022, tatu: Before fix, failed with 5000
+ private final static int TOO_DEEP_NESTING = 9999;
+
+ private final ObjectMapper MAPPER = jsonMapperBuilder()
+ .enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)
+ .build();
+
+ private final static String TOO_DEEP_DOC = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "123");
+
+ public void testArrayWrappingForBoolean() throws Exception
+ {
+ _testArrayWrappingFor(Boolean.class);
+ _testArrayWrappingFor(Boolean.TYPE);
+ }
+
+ public void testArrayWrappingForByte() throws Exception
+ {
+ _testArrayWrappingFor(Byte.class);
+ _testArrayWrappingFor(Byte.TYPE);
+ }
+
+ public void testArrayWrappingForShort() throws Exception
+ {
+ _testArrayWrappingFor(Short.class);
+ _testArrayWrappingFor(Short.TYPE);
+ }
+
+ public void testArrayWrappingForInt() throws Exception
+ {
+ _testArrayWrappingFor(Integer.class);
+ _testArrayWrappingFor(Integer.TYPE);
+ }
+
+ public void testArrayWrappingForLong() throws Exception
+ {
+ _testArrayWrappingFor(Long.class);
+ _testArrayWrappingFor(Long.TYPE);
+ }
+
+ public void testArrayWrappingForFloat() throws Exception
+ {
+ _testArrayWrappingFor(Float.class);
+ _testArrayWrappingFor(Float.TYPE);
+ }
+
+ public void testArrayWrappingForDouble() throws Exception
+ {
+ _testArrayWrappingFor(Double.class);
+ _testArrayWrappingFor(Double.TYPE);
+ }
+
+ public void testArrayWrappingForDate() throws Exception
+ {
+ _testArrayWrappingFor(Date.class);
+ }
+
+ private void _testArrayWrappingFor(Class<?> cls) throws Exception
+ {
+ try {
+ MAPPER.readValue(TOO_DEEP_DOC, cls);
+ fail("Should not pass");
+ } catch (MismatchedInputException e) {
+ verifyException(e, "Cannot deserialize");
+ verifyException(e, "nested Arrays not allowed");
+ }
+ }
+
+ private static String _nestedDoc(int nesting, String open, String close, String content) {
+ StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
+ for (int i = 0; i < nesting; ++i) {
+ sb.append(open);
+ if ((i & 31) == 0) {
+ sb.append("\n");
+ }
+ }
+ sb.append("\n").append(content).append("\n");
+ for (int i = 0; i < nesting; ++i) {
+ sb.append(close);
+ if ((i & 31) == 0) {
+ sb.append("\n");
+ }
+ }
+ return sb.toString();
+ }
+
+}
|
