Closed
Description
The depth CVE fix broke the whole JSON parser...
in the protected <T> T readObject(JsonReaderI<T> mapper) you count up every time. But you only count down at case '}':
but there is another
read(); /* unstack */
return mapper.convert(current);
later, without counting down. This makes it, so you can only read 400 objects. Not a depth of 400.
This of course breaks parsing every JSON with more than 400 objects..
Easy test to prove Problem:
JsonPath jsonPath = JsonPath.compile("$");
jsonPath.read("["+ "{\"foo\":\"bar\"},".repeat(400) + "{\"foo\":\"bar\"}]");
Throws:
net.minidev.json.parser.ParseException: Malicious payload, having non natural depths, parsing stoped on { at position 5587.
Metadata
Metadata
Assignees
Labels
No labels