Prevent deep recursion in ConfigurationMetadata (dropwizard#3536)

Processing a configuration class with self-referencing fields could lead to an `OutOfMemoryError`.

To prevent this, multiple safe guards have been added:

- Reduce recursion depth from 100 to 10 levels
- Check for loops in the parents of a property
- Take `@JsonIgnore` annotation into account

Fixes dropwizard#3528

Author: joschi

dropwizard-configuration/pom.xml

@@ -77,6 +77,11 @@
             <artifactId>assertj-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

dropwizard-configuration/src/main/java/io/dropwizard/configuration/ConfigurationMetadata.java

@@ -1,15 +1,19 @@
 package io.dropwizard.configuration;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.databind.BeanProperty;
 import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.jsonFormatVisitors.JsonFormatVisitorWrapper;
 import com.fasterxml.jackson.databind.jsonFormatVisitors.JsonObjectFormatVisitor;
 import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
+
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 
 /**
  * A class to get metadata about the properties that are available in a configuration class. It can
@@ -35,34 +39,35 @@
  *     }
  * }
  * </pre>
- *
+ * <p>
  * This leads to the following entries:
  * <ul>
  *     <li><pre>{@code name -> {SimpleType} "[simple type, class java.lang.String]"}</pre></li>
  *     <li><pre>{@code names -> {CollectionType} "[collection type; class java.util.List, contains [simple type, class java.lang.String]]"}</pre></li>
  * </ul>
- *
+ * <p>
  * Restrictions: The field-tree is only discovered correctly when no inheritance is present. It is
  * hard to discover the correct class, so this sticks to the defaultImpl that is provided.
  */
 public class ConfigurationMetadata extends JsonFormatVisitorWrapper.Base {
 
     // Just a safety option if someone uses recursive configuration classes
-    private static final int MAX_DEPTH = 100;
+    private static final int MAX_DEPTH = 10;
 
     private final ObjectMapper mapper;
 
     // Field is package-private to be visible for unit tests
     final Map<String, JavaType> fields = new HashMap<>();
 
+    private final Set<BeanProperty> parentProps = new HashSet<>();
     private String currentPrefix = "";
     private int currentDepth = 0;
 
     /**
      * Create a metadata instance and
      *
      * @param mapper the {@link ObjectMapper} that is used to parse the configuration file
-     * @param klass the target class of the configuration
+     * @param klass  the target class of the configuration
      */
     public ConfigurationMetadata(ObjectMapper mapper, Class<?> klass) {
         this.mapper = mapper;
@@ -109,13 +114,22 @@ public JsonObjectFormatVisitor expectObjectFormat(JavaType type) throws JsonMapp
             @Override
             public void optionalProperty(BeanProperty prop) throws JsonMappingException {
                 // don't run into an infinite loop with circular dependencies
-                if (currentDepth > MAX_DEPTH) {
+                if (currentDepth >= MAX_DEPTH) {
+                    return;
+                }
+
+                // check if we already visited the same property
+                if (parentProps.contains(prop)) {
+                    return;
+                }
+
+                if (prop.getAnnotation(JsonIgnore.class) != null) {
                     return;
                 }
 
                 // build the complete field path
                 String name = !currentPrefix.isEmpty() ? currentPrefix + "." + prop.getName()
-                    : prop.getName();
+                        : prop.getName();
 
                 // set state for the recursive traversal
                 int oldFieldSize = fields.size();
@@ -135,17 +149,21 @@ public void optionalProperty(BeanProperty prop) throws JsonMappingException {
 
                 // get the type deserializer
                 TypeDeserializer typeDeserializer =
-                    mapper.getDeserializationConfig().findTypeDeserializer(fieldType);
+                        mapper.getDeserializationConfig().findTypeDeserializer(fieldType);
 
                 // get the default impl if available
                 Class<?> defaultImpl =
-                    typeDeserializer != null ? typeDeserializer.getDefaultImpl() : null;
+                        typeDeserializer != null ? typeDeserializer.getDefaultImpl() : null;
+
+                // remember current property
+                parentProps.add(prop);
 
                 // visit the type of the property (or its defaultImpl).
                 mapper.acceptJsonFormatVisitor(
-                    defaultImpl == null ? fieldType.getRawClass() : defaultImpl, thiss);
+                        defaultImpl == null ? fieldType.getRawClass() : defaultImpl, thiss);
 
                 // reset state after the recursive traversal
+                parentProps.remove(prop);
                 currentDepth--;
                 currentPrefix = oldPrefix;
 

dropwizard-configuration/src/test/java/io/dropwizard/configuration/ConfigurationMetadataTest.java

@@ -1,18 +1,23 @@
 package io.dropwizard.configuration;
 
-import static org.assertj.core.api.Assertions.assertThat;
-
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import io.dropwizard.jackson.Jackson;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Stream;
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.Arguments;
-import org.junit.jupiter.params.provider.MethodSource;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatNoException;
 
 class ConfigurationMetadataTest {
 
@@ -60,7 +65,7 @@ public interface ExampleInterfaceWithDefaultImpl {
 
     @SuppressWarnings("UnusedDeclaration")
     public static class DefaultExampleInterface implements ExampleInterface,
-        ExampleInterfaceWithDefaultImpl {
+            ExampleInterfaceWithDefaultImpl {
 
         @JsonProperty
         private String[] array = new String[]{};
@@ -84,18 +89,64 @@ public Set<String> getSet() {
         }
     }
 
+    public static class Issue3528Configuration {
+        @JsonProperty
+        public ObjectMapper getMapper() {
+            return new ObjectMapper();
+        }
+    }
+
+    public static class SelfReferencingConfiguration {
+        private String str = "test";
+
+        @JsonProperty
+        public SelfReferencingConfiguration getSelfReferencingConfiguration() {
+            return new SelfReferencingConfiguration();
+        }
+
+        @JsonProperty
+        public String getStr() {
+            return str;
+        }
+    }
+
+    public static class SelfReferencingIgnoredConfiguration {
+        private String str = "test";
+        private Long number = 42L;
+        @JsonIgnore
+        private SelfReferencingConfiguration ignored = new SelfReferencingConfiguration();
+
+        @JsonIgnore
+        public SelfReferencingConfiguration getSelfReferencingConfiguration() {
+            return new SelfReferencingConfiguration();
+        }
+
+        @JsonProperty
+        public String getStr() {
+            return str;
+        }
+
+        public Long getNumber() {
+            return number;
+        }
+
+        public SelfReferencingConfiguration getIgnored() {
+            return ignored;
+        }
+    }
+
     @ParameterizedTest
     @MethodSource("provideArgsForShouldDiscoverAllFields")
     public void shouldDiscoverAllFields(String name, boolean isPrimitive,
-        boolean isCollectionOrArrayType,
-        Class<?> klass) {
+                                        boolean isCollectionOrArrayType,
+                                        Class<?> klass) {
         final ConfigurationMetadata metadata = new ConfigurationMetadata(
-            Jackson.newObjectMapper(), ExampleConfiguration.class);
+                Jackson.newObjectMapper(), ExampleConfiguration.class);
 
         assertThat(metadata.fields.get(name)).isNotNull().satisfies((f) -> {
             assertThat(f.isPrimitive()).isEqualTo(isPrimitive);
             assertThat(f.isCollectionLikeType() || f.isArrayType())
-                .isEqualTo(isCollectionOrArrayType);
+                    .isEqualTo(isCollectionOrArrayType);
 
             if (isCollectionOrArrayType) {
                 assertThat(f.getContentType().isTypeOrSubTypeOf(klass)).isTrue();
@@ -107,40 +158,61 @@ public void shouldDiscoverAllFields(String name, boolean isPrimitive,
 
     private static Stream<Arguments> provideArgsForShouldDiscoverAllFields() {
         return Stream.of(
-            Arguments.of("port", true, false, Integer.TYPE),
-            Arguments.of("example", false, false, ExampleInterface.class),
-            Arguments.of("exampleWithDefault.array", false, true, String.class),
-            Arguments.of("exampleWithDefault.list", false, true, String.class),
-            Arguments.of("exampleWithDefault.set", false, true, String.class),
-            Arguments.of("exampleWithDefaults[*].array", false, true, String.class),
-            Arguments.of("exampleWithDefaults[*].list", false, true, String.class),
-            Arguments.of("exampleWithDefaults[*].set", false, true, String.class)
+                Arguments.of("port", true, false, Integer.TYPE),
+                Arguments.of("example", false, false, ExampleInterface.class),
+                Arguments.of("exampleWithDefault.array", false, true, String.class),
+                Arguments.of("exampleWithDefault.list", false, true, String.class),
+                Arguments.of("exampleWithDefault.set", false, true, String.class),
+                Arguments.of("exampleWithDefaults[*].array", false, true, String.class),
+                Arguments.of("exampleWithDefaults[*].list", false, true, String.class),
+                Arguments.of("exampleWithDefaults[*].set", false, true, String.class)
         );
     }
 
     @ParameterizedTest
     @MethodSource("provideArgsForIsCollectionOfStringsShouldWork")
     public void isCollectionOfStringsShouldWork(String name, boolean isCollectionOfStrings) {
         final ConfigurationMetadata metadata = new ConfigurationMetadata(
-            Jackson.newObjectMapper(), ExampleConfiguration.class);
+                Jackson.newObjectMapper(), ExampleConfiguration.class);
 
         assertThat(metadata.isCollectionOfStrings(name)).isEqualTo(isCollectionOfStrings);
     }
 
-
     private static Stream<Arguments> provideArgsForIsCollectionOfStringsShouldWork() {
         return Stream.of(
-            Arguments.of("doesnotexist", false),
-            Arguments.of("port", false),
-            Arguments.of("example.array", false),
-            Arguments.of("example.list", false),
-            Arguments.of("example.set", false),
-            Arguments.of("exampleWithDefault.array", true),
-            Arguments.of("exampleWithDefault.list", true),
-            Arguments.of("exampleWithDefault.set", true),
-            Arguments.of("exampleWithDefaults[0].array", true),
-            Arguments.of("exampleWithDefaults[0].list", true),
-            Arguments.of("exampleWithDefaults[0].set", true)
+                Arguments.of("doesnotexist", false),
+                Arguments.of("port", false),
+                Arguments.of("example.array", false),
+                Arguments.of("example.list", false),
+                Arguments.of("example.set", false),
+                Arguments.of("exampleWithDefault.array", true),
+                Arguments.of("exampleWithDefault.list", true),
+                Arguments.of("exampleWithDefault.set", true),
+                Arguments.of("exampleWithDefaults[0].array", true),
+                Arguments.of("exampleWithDefaults[0].list", true),
+                Arguments.of("exampleWithDefaults[0].set", true)
         );
     }
+
+    @Test
+    void issue3528ShouldNotProduceOutOfMemoryError() {
+        assertThatNoException().isThrownBy(
+                () -> new ConfigurationMetadata(Jackson.newObjectMapper(), Issue3528Configuration.class));
+    }
+
+    @Test
+    void fieldsAnnotatedWithJsonIgnoreShouldBeIgnored() {
+        final ConfigurationMetadata metadata =
+                new ConfigurationMetadata(Jackson.newObjectMapper(), SelfReferencingIgnoredConfiguration.class);
+
+        assertThat(metadata.fields).containsOnlyKeys("str", "number");
+    }
+
+    @Test
+    void selfReferencingConfigurationShouldNotLoop() {
+        final ConfigurationMetadata metadata =
+                new ConfigurationMetadata(Jackson.newObjectMapper(), SelfReferencingConfiguration.class);
+
+        assertThat(metadata.fields).containsOnlyKeys("selfReferencingConfiguration.str", "str");
+    }
 }