From d917f9b99309ccd44726d15db9a66836ed862151 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Sat, 8 Jul 2023 10:16:25 +0100 Subject: [PATCH 1/3] police against cyclic data --- .../dataformat/xml/ser/ToXmlGenerator.java | 2 ++ .../xml/ser/dos/CyclicDataSerTest.java | 29 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java diff --git a/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java b/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java index 2e5c8a552..9e8882790 100644 --- a/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java +++ b/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java @@ -536,6 +536,7 @@ public final void writeStartArray() throws IOException { _verifyValueWrite("start an array"); _writeContext = _writeContext.createChildArrayContext(); + streamWriteConstraints().validateNestingDepth(_writeContext.getNestingDepth()); if (_cfgPrettyPrinter != null) { _cfgPrettyPrinter.writeStartArray(this); } else { @@ -562,6 +563,7 @@ public final void writeStartObject() throws IOException { _verifyValueWrite("start an object"); _writeContext = _writeContext.createChildObjectContext(); + streamWriteConstraints().validateNestingDepth(_writeContext.getNestingDepth()); if (_cfgPrettyPrinter != null) { _cfgPrettyPrinter.writeStartObject(this); } else { diff --git a/src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java b/src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java new file mode 100644 index 000000000..300c8b975 --- /dev/null +++ b/src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java @@ -0,0 +1,29 @@ +package com.fasterxml.jackson.dataformat.xml.ser.dos; + +import com.fasterxml.jackson.databind.JsonMappingException; +import com.fasterxml.jackson.dataformat.xml.XmlMapper; +import com.fasterxml.jackson.dataformat.xml.XmlTestBase; + +import java.util.ArrayList; +import java.util.List; + +/** + * Simple unit tests to verify that we fail gracefully if you attempt to serialize + * data that is cyclic (eg a list that contains itself). + */ +public class CyclicDataSerTest extends XmlTestBase +{ + private final XmlMapper MAPPER = newMapper(); + + public void testListWithSelfReference() throws Exception { + List list = new ArrayList<>(); + list.add(list); + try { + MAPPER.writeValueAsString(list); + fail("expected JsonMappingException"); + } catch (JsonMappingException jmex) { + assertTrue("JsonMappingException message is as expected?", + jmex.getMessage().startsWith("Document nesting depth (1001) exceeds the maximum allowed")); + } + } +} From 94c69b917b570bc5f1a8e178378083c8ffe017ea Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Sat, 8 Jul 2023 12:11:37 +0100 Subject: [PATCH 2/3] Update ToXmlGenerator.java --- .../fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java b/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java index 9e8882790..886356e12 100644 --- a/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java +++ b/src/main/java/com/fasterxml/jackson/dataformat/xml/ser/ToXmlGenerator.java @@ -321,6 +321,11 @@ public JsonGenerator overrideFormatFeatures(int values, int mask) /********************************************************** */ + @Override + public StreamWriteConstraints streamWriteConstraints() { + return _ioContext.streamWriteConstraints(); + } + public ToXmlGenerator enable(Feature f) { _formatFeatures |= f.getMask(); return this; From ba91d2b2ff21fe38de1d96bf529a7de4f20c1af5 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Sat, 8 Jul 2023 13:31:15 +0100 Subject: [PATCH 3/3] Update CyclicDataSerTest.java --- .../jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java b/src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java index 300c8b975..7c6be37ed 100644 --- a/src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java +++ b/src/test/java/com/fasterxml/jackson/dataformat/xml/ser/dos/CyclicDataSerTest.java @@ -1,5 +1,6 @@ package com.fasterxml.jackson.dataformat.xml.ser.dos; +import com.fasterxml.jackson.core.StreamWriteConstraints; import com.fasterxml.jackson.databind.JsonMappingException; import com.fasterxml.jackson.dataformat.xml.XmlMapper; import com.fasterxml.jackson.dataformat.xml.XmlTestBase; @@ -22,8 +23,10 @@ public void testListWithSelfReference() throws Exception { MAPPER.writeValueAsString(list); fail("expected JsonMappingException"); } catch (JsonMappingException jmex) { + String exceptionPrefix = String.format("Document nesting depth (%d) exceeds the maximum allowed", + StreamWriteConstraints.DEFAULT_MAX_DEPTH + 1); assertTrue("JsonMappingException message is as expected?", - jmex.getMessage().startsWith("Document nesting depth (1001) exceeds the maximum allowed")); + jmex.getMessage().startsWith(exceptionPrefix)); } } }