From 6d811607ddf4922a49fb37e3a813e2a59ca809a7 Mon Sep 17 00:00:00 2001 From: sk02241994 Date: Fri, 3 Nov 2023 19:54:23 +0530 Subject: [PATCH] Resolving issue #743 - Recursive depth issue found in JSONObject - Recursive depth issue found in JSONArray --- src/main/java/org/json/JSONArray.java | 29 ++++++++++++++----- src/main/java/org/json/JSONObject.java | 26 +++++++++++++++-- .../java/org/json/junit/JSONArrayTest.java | 21 ++++++++++++++ .../java/org/json/junit/JSONObjectTest.java | 17 +++++++++++ 4 files changed, 83 insertions(+), 10 deletions(-) diff --git a/src/main/java/org/json/JSONArray.java b/src/main/java/org/json/JSONArray.java index ed7982f8a..eec7852d5 100644 --- a/src/main/java/org/json/JSONArray.java +++ b/src/main/java/org/json/JSONArray.java @@ -149,11 +149,18 @@ public JSONArray(String source) throws JSONException { * A Collection. */ public JSONArray(Collection collection) { + this(collection, 0); + } + + protected JSONArray(Collection collection, int recursionDepth) { + if (recursionDepth > JSONObject.RECURSION_DEPTH_LIMIT) { + throw new JSONException("JSONArray has reached recursion depth limit of " + JSONObject.RECURSION_DEPTH_LIMIT); + } if (collection == null) { this.myArrayList = new ArrayList(); } else { this.myArrayList = new ArrayList(collection.size()); - this.addAll(collection, true); + this.addAll(collection, true, recursionDepth); } } @@ -205,7 +212,7 @@ public JSONArray(Object array) throws JSONException { throw new JSONException( "JSONArray initial value should be a string or collection or array."); } - this.addAll(array, true); + this.addAll(array, true, 0); } /** @@ -1779,13 +1786,15 @@ public boolean isEmpty() { * @param wrap * {@code true} to call {@link JSONObject#wrap(Object)} for each item, * {@code false} to add the items directly + * @param recursionDepth + * variable to keep the count of how nested the object creation is happening. * */ - private void addAll(Collection collection, boolean wrap) { + private void addAll(Collection collection, boolean wrap, int recursionDepth) { this.myArrayList.ensureCapacity(this.myArrayList.size() + collection.size()); if (wrap) { for (Object o: collection){ - this.put(JSONObject.wrap(o)); + this.put(JSONObject.wrap(o, recursionDepth + 1)); } } else { for (Object o: collection){ @@ -1815,6 +1824,10 @@ private void addAll(Iterable iter, boolean wrap) { } } + private void addAll(Object array, boolean wrap) throws JSONException { + this.addAll(array, wrap, 0); + } + /** * Add an array's elements to the JSONArray. * @@ -1825,19 +1838,21 @@ private void addAll(Iterable iter, boolean wrap) { * @param wrap * {@code true} to call {@link JSONObject#wrap(Object)} for each item, * {@code false} to add the items directly + * @param recursionDepth + * Variable to keep the count of how nested the object creation is happening. * * @throws JSONException * If not an array or if an array value is non-finite number. * @throws NullPointerException * Thrown if the array parameter is null. */ - private void addAll(Object array, boolean wrap) throws JSONException { + private void addAll(Object array, boolean wrap, int recursionDepth) throws JSONException { if (array.getClass().isArray()) { int length = Array.getLength(array); this.myArrayList.ensureCapacity(this.myArrayList.size() + length); if (wrap) { for (int i = 0; i < length; i += 1) { - this.put(JSONObject.wrap(Array.get(array, i))); + this.put(JSONObject.wrap(Array.get(array, i), recursionDepth + 1)); } } else { for (int i = 0; i < length; i += 1) { @@ -1850,7 +1865,7 @@ private void addAll(Object array, boolean wrap) throws JSONException { // JSONArray this.myArrayList.addAll(((JSONArray)array).myArrayList); } else if (array instanceof Collection) { - this.addAll((Collection)array, wrap); + this.addAll((Collection)array, wrap, recursionDepth); } else if (array instanceof Iterable) { this.addAll((Iterable)array, wrap); } else { diff --git a/src/main/java/org/json/JSONObject.java b/src/main/java/org/json/JSONObject.java index 7f4885e00..72c0ebd78 100644 --- a/src/main/java/org/json/JSONObject.java +++ b/src/main/java/org/json/JSONObject.java @@ -147,6 +147,7 @@ public String toString() { * The map where the JSONObject's properties are kept. */ private final Map map; + public static final int RECURSION_DEPTH_LIMIT = 1000; public Class getMapType() { return map.getClass(); @@ -276,6 +277,17 @@ public JSONObject(JSONTokener x) throws JSONException { * If a key in the map is null */ public JSONObject(Map m) { + this(m, 0); + } + + /** + * Construct a JSONObject from a map with recursion depth. + * + */ + protected JSONObject(Map m, int recursionDepth) { + if (recursionDepth > RECURSION_DEPTH_LIMIT) { + throw new JSONException("JSONObject has reached recursion depth limit of " + RECURSION_DEPTH_LIMIT); + } if (m == null) { this.map = new HashMap(); } else { @@ -287,7 +299,7 @@ public JSONObject(Map m) { final Object value = e.getValue(); if (value != null) { testValidity(value); - this.map.put(String.valueOf(e.getKey()), wrap(value)); + this.map.put(String.valueOf(e.getKey()), wrap(value, recursionDepth + 1)); } } } @@ -2566,7 +2578,15 @@ public static Object wrap(Object object) { return wrap(object, null); } + public static Object wrap(Object object, int recursionDepth) { + return wrap(object, null, recursionDepth); + } + private static Object wrap(Object object, Set objectsRecord) { + return wrap(object, objectsRecord, 0); + } + + private static Object wrap(Object object, Set objectsRecord, int recursionDepth) { try { if (NULL.equals(object)) { return NULL; @@ -2584,14 +2604,14 @@ private static Object wrap(Object object, Set objectsRecord) { if (object instanceof Collection) { Collection coll = (Collection) object; - return new JSONArray(coll); + return new JSONArray(coll, recursionDepth); } if (object.getClass().isArray()) { return new JSONArray(object); } if (object instanceof Map) { Map map = (Map) object; - return new JSONObject(map); + return new JSONObject(map, recursionDepth); } Package objectPackage = object.getClass().getPackage(); String objectPackageName = objectPackage != null ? objectPackage diff --git a/src/test/java/org/json/junit/JSONArrayTest.java b/src/test/java/org/json/junit/JSONArrayTest.java index 7b0d52eca..44a1d7bdd 100644 --- a/src/test/java/org/json/junit/JSONArrayTest.java +++ b/src/test/java/org/json/junit/JSONArrayTest.java @@ -1417,4 +1417,25 @@ public String toJSONString() { .put(2); assertFalse(ja1.similar(ja3)); } + + @Test(expected = JSONException.class) + public void testRecursiveDepth() { + HashMap map = new HashMap<>(); + map.put("t", map); + new JSONArray().put(map); + } + + @Test(expected = JSONException.class) + public void testRecursiveDepthAtPosition() { + HashMap map = new HashMap<>(); + map.put("t", map); + new JSONArray().put(0, map); + } + + @Test(expected = JSONException.class) + public void testRecursiveDepthArray() { + ArrayList array = new ArrayList<>(); + array.add(array); + new JSONArray(array); + } } diff --git a/src/test/java/org/json/junit/JSONObjectTest.java b/src/test/java/org/json/junit/JSONObjectTest.java index d9adbcade..dff4503e2 100644 --- a/src/test/java/org/json/junit/JSONObjectTest.java +++ b/src/test/java/org/json/junit/JSONObjectTest.java @@ -3718,4 +3718,21 @@ public void issue713BeanConstructorWithNonFiniteNumbers() { assertThrows(JSONException.class, () -> new JSONObject(bean)); } } + + @Test(expected = JSONException.class) + public void issue743SerializationMap() { + HashMap map = new HashMap<>(); + map.put("t", map); + JSONObject object = new JSONObject(map); + String jsonString = object.toString(); + } + + @Test(expected = JSONException.class) + public void testCircularReferenceMultipleLevel() { + HashMap inside = new HashMap<>(); + HashMap jsonObject = new HashMap<>(); + inside.put("inside", jsonObject); + jsonObject.put("test", inside); + new JSONObject(jsonObject); + } }