Added a nesting limit to the parser to prevent stack overflow that could be a security issue

2014-11-06 10:24:37 +01:00
parent 2e4dd2d591
commit a3425a6306
5 changed files with 104 additions and 7 deletions
--- a/test/JsonParser_NestingLimit_Tests.cpp
+++ b/test/JsonParser_NestingLimit_Tests.cpp
@ -0,0 +1,88 @@
+// Copyright Benoit Blanchon 2014
+// MIT License
+//
+// Arduino JSON library
+// https://github.com/bblanchon/ArduinoJson
+
+#include <gtest/gtest.h>
+#include <ArduinoJson/JsonArray.hpp>
+#include <ArduinoJson/JsonObject.hpp>
+#include <ArduinoJson/StaticJsonBuffer.hpp>
+
+using namespace ArduinoJson;
+
+class JsonParser_NestingLimit_Tests : public testing::Test {
+ protected:
+  void whenNestingLimitIs(uint8_t nestingLimit) {
+    _nestingLimit = nestingLimit;
+  }
+
+  void parseArrayMustFail(const char *json) {
+    ASSERT_FALSE(tryParseArray(json));
+  }
+
+  void parseArrayMustSucceed(const char *json) {
+    ASSERT_TRUE(tryParseArray(json));
+  }
+
+  void parseObjectMustFail(const char *json) {
+    ASSERT_FALSE(tryParseObject(json));
+  }
+
+  void parseObjectMustSucceed(const char *json) {
+    ASSERT_TRUE(tryParseObject(json));
+  }
+
+ private:
+  bool tryParseArray(const char *json) {
+    StaticJsonBuffer<256> buffer;
+    char s[256];
+    strcpy(s, json);
+    return buffer.parseArray(s, _nestingLimit).success();
+  }
+
+  bool tryParseObject(const char *json) {
+    StaticJsonBuffer<256> buffer;
+    char s[256];
+    strcpy(s, json);
+    return buffer.parseObject(s, _nestingLimit).success();
+  }
+
+  uint8_t _nestingLimit;
+};
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseArrayWithNestingLimit0) {
+  whenNestingLimitIs(0);
+  parseArrayMustSucceed("[]");
+  parseArrayMustFail("[[]]");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseArrayWithNestingLimit1) {
+  whenNestingLimitIs(1);
+  parseArrayMustSucceed("[[]]");
+  parseArrayMustFail("[[[]]]");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseArrayWithNestingLimit2) {
+  whenNestingLimitIs(2);
+  parseArrayMustSucceed("[[[]]]");
+  parseArrayMustFail("[[[[]]]]");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseObjectWithNestingLimit0) {
+  whenNestingLimitIs(0);
+  parseObjectMustSucceed("{}");
+  parseObjectMustFail("{\"key\":{}}");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseObjectWithNestingLimit1) {
+  whenNestingLimitIs(1);
+  parseObjectMustSucceed("{\"key\":{}}");
+  parseObjectMustFail("{\"key\":{\"key\":{}}}");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseObjectWithNestingLimit2) {
+  whenNestingLimitIs(2);
+  parseObjectMustSucceed("{\"key\":{\"key\":{}}}");
+  parseObjectMustFail("{\"key\":{\"key\":{\"key\":{}}}}");
+}