Protect against deeply malformed JSON map keys

Fixes gh-31869

Author: philwebb

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java

@@ -21,6 +21,7 @@
 import java.util.List;
 import java.util.Map;
 
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 /**
@@ -86,6 +87,20 @@ private Object parseInternal(int nesting, String json) {
 		return json;
 	}
 
+	private Map<String, Object> parseMapInternal(String json) {
+		Map<String, Object> map = new LinkedHashMap<>();
+		json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
+		for (String pair : tokenize(json)) {
+			String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
+			Assert.state(values[0].startsWith("\"") && values[0].endsWith("\""),
+					"Expecting double-quotes around field names");
+			String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
+			Object value = parseInternal(0, values[1]);
+			map.put(key, value);
+		}
+		return map;
+	}
+
 	private static String trimTrailingCharacter(String string, char c) {
 		if (!string.isEmpty() && string.charAt(string.length() - 1) == c) {
 			return string.substring(0, string.length() - 1);
@@ -100,18 +115,6 @@ private static String trimLeadingCharacter(String string, char c) {
 		return string;
 	}
 
-	private Map<String, Object> parseMapInternal(String json) {
-		Map<String, Object> map = new LinkedHashMap<>();
-		json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
-		for (String pair : tokenize(json)) {
-			String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
-			String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
-			Object value = parseInternal(0, values[1]);
-			map.put(key, value);
-		}
-		return map;
-	}
-
 	private List<String> tokenize(String json) {
 		List<String> list = new ArrayList<>();
 		int index = 0;

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/AbstractJsonParserTests.java

@@ -198,4 +198,11 @@ void listWithRepeatedOpenArray() throws IOException {
 				.withMessageContaining("too deeply nested");
 	}
 
+	@Test // gh-31869
+	void largeMalformed() throws IOException {
+		String input = StreamUtils.copyToString(
+				AbstractJsonParserTests.class.getResourceAsStream("large-malformed-json.txt"), StandardCharsets.UTF_8);
+		assertThatExceptionOfType(JsonParseException.class).isThrownBy(() -> this.parser.parseList(input));
+	}
+
 }

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/YamlJsonParserTests.java

@@ -61,4 +61,9 @@ void listWithRepeatedOpenArray() throws IOException {
 		super.listWithRepeatedOpenArray();
 	}
 
+	@Override
+	@Disabled("SnakeYaml does not protect against malformed keys")
+	void largeMalformed() throws IOException {
+	}
+
 }