Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DRAFT] check for nesting limits #3805

Closed
wants to merge 4 commits into from
Closed

[DRAFT] check for nesting limits #3805

wants to merge 4 commits into from

Conversation

pjfanning
Copy link
Member

@pjfanning pjfanning marked this pull request as draft March 5, 2023 11:18
@pjfanning pjfanning self-assigned this Mar 5, 2023
@pjfanning pjfanning changed the title check for nesting limits [DRAFT] check for nesting limits Mar 5, 2023
pjfanning
pjfanning commented Mar 5, 2023
View reviewed changes
src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepJsonTreeTraversingTest.java
public void testTreeWithArray() throws Exception
{
final String doc = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ");
JsonNode tree = unconstrainedMapper.readTree(doc);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cowtowncoder I was trying to add a test that checks the new logic in TreeTraversingParser (to validate nesting depth constraint). I found that 'readTree' validates already because it uses the jackson-core ReaderbasedJsonParser. I had to change the mapper to loosen the default nesting constraint to get this line to pass. This got me to thinking. Is there much point in having TreeTraversingParser also validate the nesting depth?

A similar question could be asked for the TokenBuffer Parser.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pjfanning Good question: I don't think they should (have to) validate nesting depth: only things that read actual input should. It seems like pure overhead, plus in some cases it may be unclear which constraints to use.
Same sort of goes for String length checks too I suppose.

One counter-case might be numeric length: if buffering String tokens but requesting number, number-length checks should be applied.

@cowtowncoder
Copy link
Member

@pjfanning Let's just remove validation checks from TreeTraversingParser and TokenBuffer -- they cannot be used in a way (AFAIK) that could cause issues, at least now with reading (all content comes from a validating source).
Writing will use different codepaths, checks, but I don't think that'd be problematic either (since content will end up into validating sink/target).

I'll try merging some of changes from here to unblock some tests.

cowtowncoder added a commit that referenced this pull request Mar 6, 2023
@cowtowncoder
Merge test fixes from #3805 to make test suite pass again
7345d2d
@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 6, 2023
edited
Loading

Ok, merged unit test fixes directly. Caused some conflict, will try to resolve.

EDIT: no more conflicts.

@pjfanning
Copy link
Member Author

useful bits already merged - #3810 contains the test

@pjfanning pjfanning closed this Mar 6, 2023
@pjfanning pjfanning deleted the nesting branch March 14, 2023 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cowtowncoder cowtowncoder cowtowncoder left review comments

Assignees

@pjfanning pjfanning

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pjfanning @cowtowncoder