check number lengths (#3687)

pjfanning · web-flow · commit 6a7b516760bd · 2022-12-04T14:42:50.000-08:00
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/std/NumberDeserializers.java b/src/main/java/com/fasterxml/jackson/databind/deser/std/NumberDeserializers.java
@@ -751,6 +751,7 @@ protected final Double _parseDouble(JsonParser p, DeserializationContext ctxt) t
             if (_checkTextualNull(ctxt, text)) {
                 return (Double) getNullValue(ctxt);
             }
+            p.streamReadConstraints().validateFPLength(text.length());
             try {
                 return _parseDouble(text, p.isEnabled(StreamReadFeature.USE_FAST_DOUBLE_PARSER));
             } catch (IllegalArgumentException iae) { }
@@ -843,13 +844,15 @@ public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOEx
             }
             try {
                 if (!_isIntNumber(text)) {
+                    p.streamReadConstraints().validateFPLength(text.length());
                     if (ctxt.isEnabled(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS)) {
                         return NumberInput.parseBigDecimal(
                                 text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));
                     }
                     return Double.valueOf(
                             NumberInput.parseDouble(text, p.isEnabled(StreamReadFeature.USE_FAST_DOUBLE_PARSER)));
                 }
+                p.streamReadConstraints().validateIntegerLength(text.length());
                 if (ctxt.isEnabled(DeserializationFeature.USE_BIG_INTEGER_FOR_INTS)) {
                     return NumberInput.parseBigInteger(text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));
                 }
@@ -961,6 +964,7 @@ public BigInteger deserialize(JsonParser p, DeserializationContext ctxt) throws
                 // note: no need to call `coerce` as this is never primitive
                 return getNullValue(ctxt);
             }
+            p.streamReadConstraints().validateIntegerLength(text.length());
             try {
                 return NumberInput.parseBigInteger(text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));
             } catch (IllegalArgumentException iae) { }
@@ -1030,6 +1034,7 @@ public BigDecimal deserialize(JsonParser p, DeserializationContext ctxt)
                 // note: no need to call `coerce` as this is never primitive
                 return getNullValue(ctxt);
             }
+            p.streamReadConstraints().validateFPLength(text.length());
             try {
                 return NumberInput.parseBigDecimal(text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));
             } catch (IllegalArgumentException iae) { }
diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/TestBigNumbers.java b/src/test/java/com/fasterxml/jackson/databind/deser/TestBigNumbers.java
@@ -0,0 +1,123 @@
+package com.fasterxml.jackson.databind.deser;
+
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.StreamReadConstraints;
+import com.fasterxml.jackson.databind.BaseMapTest;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+
+import java.math.BigDecimal;
+import java.math.BigInteger;
+
+public class TestBigNumbers extends BaseMapTest
+{
+    static class BigDecimalWrapper {
+        BigDecimal number;
+
+        public BigDecimalWrapper() {}
+
+        public BigDecimalWrapper(BigDecimal number) {
+            this.number = number;
+        }
+
+        public void setNumber(BigDecimal number) {
+            this.number = number;
+        }
+    }
+
+    static class BigIntegerWrapper {
+        BigInteger number;
+
+        public BigIntegerWrapper() {}
+
+        public BigIntegerWrapper(BigInteger number) {
+            this.number = number;
+        }
+
+        public void setNumber(BigInteger number) {
+            this.number = number;
+        }
+    }
+
+    /*
+    /**********************************************************
+    /* Tests
+    /**********************************************************
+     */
+
+    private final ObjectMapper MAPPER = newJsonMapper();
+
+    private final ObjectMapper newJsonMapperWithUnlimitedNumberSizeSupport() {
+        JsonFactory jsonFactory = JsonFactory.builder()
+                .streamReadConstraints(StreamReadConstraints.builder().maxNumberLength(Integer.MAX_VALUE).build())
+                .build();
+        return JsonMapper.builder(jsonFactory).build();
+    }
+
+    public void testDouble() throws Exception
+    {
+        try {
+            MAPPER.readValue(generateJson("d"), DoubleWrapper.class);
+        } catch (JsonMappingException jsonMappingException) {
+            assertTrue("unexpected exception message: " + jsonMappingException.getMessage(),
+                    jsonMappingException.getMessage().startsWith("Malformed numeric value ([number with 1200 characters])"));
+        }
+    }
+
+    public void testDoubleUnlimited() throws Exception
+    {
+        DoubleWrapper dw =
+            newJsonMapperWithUnlimitedNumberSizeSupport().readValue(generateJson("d"), DoubleWrapper.class);
+        assertNotNull(dw);
+    }
+
+    public void testBigDecimal() throws Exception
+    {
+        try {
+            MAPPER.readValue(generateJson("number"), BigDecimalWrapper.class);
+        } catch (JsonMappingException jsonMappingException) {
+            assertTrue("unexpected exception message: " + jsonMappingException.getMessage(),
+                    jsonMappingException.getMessage().startsWith("Malformed numeric value ([number with 1200 characters])"));
+        }
+    }
+
+    public void testBigDecimalUnlimited() throws Exception
+    {
+        BigDecimalWrapper bdw =
+                newJsonMapperWithUnlimitedNumberSizeSupport()
+                        .readValue(generateJson("number"), BigDecimalWrapper.class);
+        assertNotNull(bdw);
+    }
+
+    public void testBigInteger() throws Exception
+    {
+        try {
+            MAPPER.readValue(generateJson("number"), BigIntegerWrapper.class);
+        } catch (JsonMappingException jsonMappingException) {
+            assertTrue("unexpected exception message: " + jsonMappingException.getMessage(),
+                    jsonMappingException.getMessage().startsWith("Malformed numeric value ([number with 1200 characters])"));
+        }
+    }
+
+    public void testBigIntegerUnlimited() throws Exception
+    {
+        BigIntegerWrapper bdw =
+                newJsonMapperWithUnlimitedNumberSizeSupport()
+                        .readValue(generateJson("number"), BigIntegerWrapper.class);
+        assertNotNull(bdw);
+    }
+
+    private String generateJson(final String fieldName) {
+        final int len = 1200;
+        final StringBuilder sb = new StringBuilder();
+        sb.append("{\"")
+                .append(fieldName)
+                .append("\": ");
+        for (int i = 0; i < len; i++) {
+            sb.append(1);
+        }
+        sb.append("}");
+        return sb.toString();
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -751,6 +751,7 @@ protected final Double _parseDouble(JsonParser p, DeserializationContext ctxt) t`
`751`	`751`	`if (_checkTextualNull(ctxt, text)) {`
`752`	`752`	`return (Double) getNullValue(ctxt);`
`753`	`753`	`}`
	`754`	`+ p.streamReadConstraints().validateFPLength(text.length());`
`754`	`755`	`try {`
`755`	`756`	`return _parseDouble(text, p.isEnabled(StreamReadFeature.USE_FAST_DOUBLE_PARSER));`
`756`	`757`	`} catch (IllegalArgumentException iae) { }`
`@@ -843,13 +844,15 @@ public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOEx`
`843`	`844`	`}`
`844`	`845`	`try {`
`845`	`846`	`if (!_isIntNumber(text)) {`
	`847`	`+ p.streamReadConstraints().validateFPLength(text.length());`
`846`	`848`	`if (ctxt.isEnabled(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS)) {`
`847`	`849`	`return NumberInput.parseBigDecimal(`
`848`	`850`	`text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));`
`849`	`851`	`}`
`850`	`852`	`return Double.valueOf(`
`851`	`853`	`NumberInput.parseDouble(text, p.isEnabled(StreamReadFeature.USE_FAST_DOUBLE_PARSER)));`
`852`	`854`	`}`
	`855`	`+ p.streamReadConstraints().validateIntegerLength(text.length());`
`853`	`856`	`if (ctxt.isEnabled(DeserializationFeature.USE_BIG_INTEGER_FOR_INTS)) {`
`854`	`857`	`return NumberInput.parseBigInteger(text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));`
`855`	`858`	`}`
`@@ -961,6 +964,7 @@ public BigInteger deserialize(JsonParser p, DeserializationContext ctxt) throws`
`961`	`964`	// note: no need to call `coerce` as this is never primitive
`962`	`965`	`return getNullValue(ctxt);`
`963`	`966`	`}`
	`967`	`+ p.streamReadConstraints().validateIntegerLength(text.length());`
`964`	`968`	`try {`
`965`	`969`	`return NumberInput.parseBigInteger(text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));`
`966`	`970`	`} catch (IllegalArgumentException iae) { }`
`@@ -1030,6 +1034,7 @@ public BigDecimal deserialize(JsonParser p, DeserializationContext ctxt)`
`1030`	`1034`	// note: no need to call `coerce` as this is never primitive
`1031`	`1035`	`return getNullValue(ctxt);`
`1032`	`1036`	`}`
	`1037`	`+ p.streamReadConstraints().validateFPLength(text.length());`
`1033`	`1038`	`try {`
`1034`	`1039`	`return NumberInput.parseBigDecimal(text, p.isEnabled(StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER));`
`1035`	`1040`	`} catch (IllegalArgumentException iae) { }`