Add protection against StackOverflowError in JsonValueWriter #44627

nosan · 2025-03-06T14:42:28Z

Related to #44502

By default, Jackson uses a nesting depth of 1000.

Jackson:

	@Test
	void jackson() throws JsonProcessingException {
		List<Object> list = new ArrayList<>();
		list.add(list);
		new ObjectMapper().writeValueAsString(list);
	}

Document nesting depth (1001) exceeds the maximum allowed (1000, from `StreamWriteConstraints.getMaxNestingDepth()`) (through reference chain: java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->java.util.ArrayList[0]->

If you configure Jackson with a nesting depth greater than 1000 (Integer.MAX_VALUE), a StackOverflowError will also be thrown.

Jackson nestingDepth=5000

	@Test
	void jackson() throws JsonProcessingException {
		StreamWriteConstraints
			.overrideDefaultStreamWriteConstraints(StreamWriteConstraints.builder().maxNestingDepth(5000).build());
		List<Object> list = new ArrayList<>();
		list.add(list);
		ObjectMapper objectMapper = new ObjectMapper();
		objectMapper.writeValueAsString(list);
	}

java.lang.StackOverflowError
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serialize(IndexedListSerializer.java:69)
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serialize(IndexedListSerializer.java:18)
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serializeContents(IndexedListSerializer.java:119)
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serialize(IndexedListSerializer.java:79)
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serialize(IndexedListSerializer.java:18)
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serializeContents(IndexedListSerializer.java:119)
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serialize(IndexedListSerializer.java:79)
	at com.fasterxml.jackson.databind.ser.impl.IndexedListSerializer.serialize(IndexedListSerializer.java:18)

Gson:

@Test
void gson() {
		List<Object> list = new ArrayList<>();
		list.add(list);
		new Gson().toJson(list);
}


java.lang.StackOverflowError
	at com.google.gson.internal.$Gson$Types.equals($Gson$Types.java:175)
	at com.google.gson.reflect.TypeToken.equals(TypeToken.java:346)
	at java.base/java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:940)
	at com.google.gson.Gson.getAdapter(Gson.java:600)
	at com.google.gson.internal.bind.TypeAdapterRuntimeTypeWrapper.write(TypeAdapterRuntimeTypeWrapper.java:57)
	at com.google.gson.internal.bind.CollectionTypeAdapterFactory$Adapter.write(CollectionTypeAdapterFactory.java:99)
	at com.google.gson.internal.bind.CollectionTypeAdapterFactory$Adapter.write(CollectionTypeAdapterFactory.java:59)
	at com.google.gson.internal.bind.TypeAdapterRuntimeTypeWrapper.write(TypeAdapterRuntimeTypeWrapper.java:73)
	at com.google.gson.internal.bind.CollectionTypeAdapterFactory$Adapter.write(CollectionTypeAdapterFactory.java:99)

Jsonb:

@Test
void jsonb() {
  List<Object> list = new ArrayList<>();
  list.add(list);
  JsonbBuilder.create().toJson(list);
}

SEVERE: Generating incomplete JSON

java.lang.StackOverflowError
	at java.base/java.lang.Class.reflectionData(Class.java:3214)
	at java.base/java.lang.Class.getInterfaces(Class.java:1144)
	at java.base/java.lang.Class.getInterfaces(Class.java:1140)
	at org.eclipse.yasson.internal.ComponentMatcher.searchComponentBinding(ComponentMatcher.java:210)
	at org.eclipse.yasson.internal.ComponentMatcher.getSerializerBinding(ComponentMatcher.java:145)
	at org.eclipse.yasson.internal.serializer.SerializationModelCreator.userSerializer(SerializationModelCreator.java:418)
	at org.eclipse.yasson.internal.serializer.SerializationModelCreator.serializerChainInternal(SerializationModelCreator.java:149)
	at org.eclipse.yasson.internal.serializer.SerializationModelCreator.serializerChain(SerializationModelCreator.java:133)
	at org.eclipse.yasson.internal.serializer.SerializationModelCreator.serializerChain(SerializationModelCreator.java:91)

nosan · 2025-03-06T16:19:33Z

Oh... with private static final int MAX_NESTING_DEPTH = 1000, the tests fail on CI: 😞

Expecting actual throwable to be an instance of:
  java.lang.IllegalStateException
but was:
  java.lang.StackOverflowError
	at org.springframework.boot.json.JsonWriter$MemberPath.toString(JsonWriter.java:816)
	at org.springframework.boot.json.JsonWriter$MemberPath.toString(JsonWriter.java:816)
	at org.springframework.boot.json.JsonWriter$MemberPath.toString(JsonWriter.java:816)

This commit adds validation for the maximum JSON nesting depth in the JsonValueWriter. This helps prevent StackOverflowError that can potentially occur due to excessive recursion when dealing with deeply nested JSON structures. Signed-off-by: Dmytro Nosan <[email protected]>

nosan · 2025-03-06T16:43:01Z

...ng-boot-project/spring-boot/src/main/java/org/springframework/boot/json/JsonValueWriter.java

@@ -46,8 +46,12 @@
 */
 class JsonValueWriter {

+	private static final int DEFAULT_MAX_NESTING_DEPTH = 1000;


I'm wondering if such a deep nesting level is necessary, as JsonWriter is primarily used for StructuredLogging, and such depth seems practically impossible.

Maybe this should be configurable? If user decides they want more, they should be able to get more. Default level should be maybe lower, something like 32. Note that this is not only a stack-overflow protection, but also protection against overflowing the storage space for logs.

I've prototyped some changes main...nosan:44502-json-writer-configuration

spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 6, 2025

nosan force-pushed the 44502-stackoverflow-protection branch 2 times, most recently from b3f8244 to ea08a97 Compare March 6, 2025 15:21

nosan mentioned this pull request Mar 6, 2025

Logging a Path object using structured logging throws StackOverflowError #44502

Open

nosan force-pushed the 44502-stackoverflow-protection branch from 6849356 to 1777be4 Compare March 6, 2025 16:27

nosan commented Mar 6, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add protection against StackOverflowError in JsonValueWriter #44627

Add protection against StackOverflowError in JsonValueWriter #44627

nosan commented Mar 6, 2025 •

edited

Loading

nosan commented Mar 6, 2025 •

edited

Loading

nosan Mar 6, 2025

thecooldrop Mar 9, 2025

nosan Mar 10, 2025

Add protection against StackOverflowError in JsonValueWriter #44627

Are you sure you want to change the base?

Add protection against StackOverflowError in JsonValueWriter #44627

Conversation

nosan commented Mar 6, 2025 • edited Loading

nosan commented Mar 6, 2025 • edited Loading

nosan Mar 6, 2025

Choose a reason for hiding this comment

thecooldrop Mar 9, 2025

Choose a reason for hiding this comment

nosan Mar 10, 2025

Choose a reason for hiding this comment

nosan commented Mar 6, 2025 •

edited

Loading

nosan commented Mar 6, 2025 •

edited

Loading