Protect against deeply nested JSON maps

philwebb · philwebb · commit da91cde30477 · 2022-07-26T15:52:57.000+01:00
See gh-31868
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/BasicJsonParser.java
@@ -42,7 +42,7 @@ public class BasicJsonParser extends AbstractJsonParser {
 
 	@Override
 	public Map<String, Object> parseMap(String json) {
-		return tryParse(() -> parseMap(json, this::parseMapInternal), Exception.class);
+		return tryParse(() -> parseMap(json, (jsonToParse) -> parseMapInternal(0, jsonToParse)), Exception.class);
 	}
 
 	@Override
@@ -67,7 +67,7 @@ private Object parseInternal(int nesting, String json) {
 			return parseListInternal(nesting + 1, json);
 		}
 		if (json.startsWith("{")) {
-			return parseMapInternal(json);
+			return parseMapInternal(nesting, json);
 		}
 		if (json.startsWith("\"")) {
 			return trimTrailingCharacter(trimLeadingCharacter(json, '"'), '"');
@@ -87,15 +87,15 @@ private Object parseInternal(int nesting, String json) {
 		return json;
 	}
 
-	private Map<String, Object> parseMapInternal(String json) {
+	private Map<String, Object> parseMapInternal(int nesting, String json) {
 		Map<String, Object> map = new LinkedHashMap<>();
 		json = trimLeadingCharacter(trimTrailingCharacter(json, '}'), '{').trim();
 		for (String pair : tokenize(json)) {
 			String[] values = StringUtils.trimArrayElements(StringUtils.split(pair, ":"));
 			Assert.state(values[0].startsWith("\"") && values[0].endsWith("\""),
 					"Expecting double-quotes around field names");
 			String key = trimLeadingCharacter(trimTrailingCharacter(values[0], '"'), '"');
-			Object value = parseInternal(0, values[1]);
+			Object value = parseInternal(nesting, values[1]);
 			map.put(key, value);
 		}
 		return map;
