Merge pull request #322 from asoldano/max-error-message-size

cowtowncoder · web-flow · commit 4616602c5cbb · 2017-01-11T19:35:59.000-08:00
Trim tokens in error messages to 256 byte to prevent attacks
diff --git a/src/main/java/com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java b/src/main/java/com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java
@@ -2819,7 +2819,8 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce
          * regular Java identifier character rules. It's just a heuristic,
          * nothing fancy here.
          */
-        while (true) {
+        final int maxTokenLength = 256;
+        while (sb.length() < maxTokenLength) {
             if (_inputPtr >= _inputEnd) {
                 if (!_loadMore()) {
                     break;
@@ -2832,6 +2833,9 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce
             ++_inputPtr;
             sb.append(c);
         }
+        if (sb.length() == maxTokenLength) {
+            sb.append("...");
+        }
         _reportError("Unrecognized token '"+sb.toString()+"': was expecting "+msg);
     }
 }
diff --git a/src/main/java/com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java b/src/main/java/com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java
@@ -3510,7 +3510,8 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce
           * regular Java identifier character rules. It's just a heuristic,
           * nothing fancy here (nor fast).
           */
-         while (true) {
+         final int maxTokenLength = 256;
+         while (sb.length() < maxTokenLength) {
              if (_inputPtr >= _inputEnd && !_loadMore()) {
                  break;
              }
@@ -3521,6 +3522,9 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce
              }
              sb.append(c);
          }
+         if (sb.length() == maxTokenLength) {
+                sb.append("...");
+         }
          _reportError("Unrecognized token '"+sb.toString()+"': was expecting "+msg);
      }
         
diff --git a/src/test/java/com/fasterxml/jackson/core/json/TestMaxErrorSize.java b/src/test/java/com/fasterxml/jackson/core/json/TestMaxErrorSize.java
@@ -0,0 +1,88 @@
+package com.fasterxml.jackson.core.json;
+
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.core.JsonParser;
+
+/**
+ * Test size of parser error messages
+ */
+public class TestMaxErrorSize
+    extends com.fasterxml.jackson.core.BaseTest
+{
+    public void testLongErrorMessage()
+        throws Exception
+    {
+        final String DOC = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+        		+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+        		+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+        		+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+    	assertTrue(DOC.length() > 256);
+        JsonParser jp = createParserUsingReader(DOC);
+        try {
+            jp.nextToken();
+            fail("Expected an exception for unrecognized token");
+        } catch (JsonParseException jpe) {
+        	String msg = jpe.getMessage();
+        	final String expectedPrefix = "Unrecognized token '";
+        	final String expectedSuffix = "...': was expecting ('true', 'false' or 'null')";
+        	assertTrue(msg.startsWith(expectedPrefix));
+        	assertTrue(msg.contains(expectedSuffix));
+        	msg = msg.substring(expectedPrefix.length(), msg.indexOf(expectedSuffix));
+        	assertEquals(256, msg.length());
+        }
+        jp.close();
+        
+        jp = createParser(MODE_INPUT_STREAM, DOC);
+        try {
+            jp.nextToken();
+            fail("Expected an exception for unrecognized token");
+        } catch (JsonParseException jpe) {
+        	String msg = jpe.getMessage();
+        	final String expectedPrefix = "Unrecognized token '";
+        	final String expectedSuffix = "...': was expecting ('true', 'false' or 'null')";
+        	assertTrue(msg.startsWith(expectedPrefix));
+        	assertTrue(msg.contains(expectedSuffix));
+        	msg = msg.substring(expectedPrefix.length(), msg.indexOf(expectedSuffix));
+        	assertEquals(256, msg.length());
+        }
+        jp.close();
+    }
+    
+    public void testShortErrorMessage()
+            throws Exception
+        {
+            final String DOC = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+            		+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+        	assertTrue(DOC.length() < 256);
+            JsonParser jp = createParserUsingReader(DOC);
+            try {
+                jp.nextToken();
+                fail("Expected an exception for unrecognized token");
+            } catch (JsonParseException jpe) {
+            	String msg = jpe.getMessage();
+            	final String expectedPrefix = "Unrecognized token '";
+            	final String expectedSuffix = "': was expecting ('true', 'false' or 'null')";
+            	assertTrue(msg.startsWith(expectedPrefix));
+            	assertTrue(msg.contains(expectedSuffix));
+            	msg = msg.substring(expectedPrefix.length(), msg.indexOf(expectedSuffix));
+            	assertEquals(DOC.length(), msg.length());
+            }
+            jp.close();
+            
+            jp = createParser(MODE_INPUT_STREAM, DOC);
+            try {
+                jp.nextToken();
+                fail("Expected an exception for unrecognized token");
+            } catch (JsonParseException jpe) {
+            	String msg = jpe.getMessage();
+            	final String expectedPrefix = "Unrecognized token '";
+            	final String expectedSuffix = "': was expecting ('true', 'false' or 'null')";
+            	assertTrue(msg.startsWith(expectedPrefix));
+            	assertTrue(msg.contains(expectedSuffix));
+            	msg = msg.substring(expectedPrefix.length(), msg.indexOf(expectedSuffix));
+            	assertEquals(DOC.length(), msg.length());
+            }
+            jp.close();
+        }
+}
+

Original file line number	Diff line number	Diff line change
`@@ -2819,7 +2819,8 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce`
`2819`	`2819`	`* regular Java identifier character rules. It's just a heuristic,`
`2820`	`2820`	`* nothing fancy here.`
`2821`	`2821`	`*/`
`2822`		`- while (true) {`
	`2822`	`+ final int maxTokenLength = 256;`
	`2823`	`+ while (sb.length() < maxTokenLength) {`
`2823`	`2824`	`if (_inputPtr >= _inputEnd) {`
`2824`	`2825`	`if (!_loadMore()) {`
`2825`	`2826`	`break;`
`@@ -2832,6 +2833,9 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce`
`2832`	`2833`	`++_inputPtr;`
`2833`	`2834`	`sb.append(c);`
`2834`	`2835`	`}`
	`2836`	`+ if (sb.length() == maxTokenLength) {`
	`2837`	`+ sb.append("...");`
	`2838`	`+ }`
`2835`	`2839`	`_reportError("Unrecognized token '"+sb.toString()+"': was expecting "+msg);`
`2836`	`2840`	`}`
`2837`	`2841`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3510,7 +3510,8 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce`
`3510`	`3510`	`* regular Java identifier character rules. It's just a heuristic,`
`3511`	`3511`	`* nothing fancy here (nor fast).`
`3512`	`3512`	`*/`
`3513`		`- while (true) {`
	`3513`	`+ final int maxTokenLength = 256;`
	`3514`	`+ while (sb.length() < maxTokenLength) {`
`3514`	`3515`	`if (_inputPtr >= _inputEnd && !_loadMore()) {`
`3515`	`3516`	`break;`
`3516`	`3517`	`}`
`@@ -3521,6 +3522,9 @@ protected void _reportInvalidToken(String matchedPart, String msg) throws IOExce`
`3521`	`3522`	`}`
`3522`	`3523`	`sb.append(c);`
`3523`	`3524`	`}`
	`3525`	`+ if (sb.length() == maxTokenLength) {`
	`3526`	`+ sb.append("...");`
	`3527`	`+ }`
`3524`	`3528`	`_reportError("Unrecognized token '"+sb.toString()+"': was expecting "+msg);`
`3525`	`3529`	`}`
`3526`	`3530`