Added a nesting limit to the parser to prevent stack overflow that could be a security issue

include/ArduinoJson/Internals/JsonParser.hpp

@@ -13,7 +13,8 @@ namespace Internals {
 
 class JsonParser {
  public:
-  JsonParser(JsonBuffer *buffer, char *json) : _buffer(buffer), _ptr(json) {}
+  JsonParser(JsonBuffer *buffer, char *json, uint8_t nestingLimit)
+      : _buffer(buffer), _ptr(json), _nestingLimit(nestingLimit) {}
 
   JsonArray &parseArray();
   JsonObject &parseObject();
@@ -33,6 +34,7 @@ class JsonParser {
 
   JsonBuffer *_buffer;
   char *_ptr;
+  uint8_t _nestingLimit;
 };
 }
 }

include/ArduinoJson/JsonBuffer.hpp

@@ -19,9 +19,11 @@ class JsonBuffer {
   JsonArray &createArray();
   JsonObject &createObject();
 
-  JsonArray &parseArray(char *json);
+  JsonArray &parseArray(char *json, uint8_t nestingLimit = DEFAULT_LIMIT);
-  JsonObject &parseObject(char *json);
+  JsonObject &parseObject(char *json, uint8_t nestingLimit = DEFAULT_LIMIT);
 
   virtual void *alloc(size_t size) = 0;
+
+  static const uint8_t DEFAULT_LIMIT = 10;
 };
 }

src/Internals/JsonParser.cpp

@@ -39,6 +39,9 @@ bool JsonParser::skip(const char *wordToSkip) {
 }
 
 void JsonParser::parseAnythingTo(JsonVariant &destination) {
+  if (_nestingLimit == 0) return;
+  _nestingLimit--;
+
   skipSpaces();
 
   switch (*_ptr) {
@@ -79,6 +82,8 @@ void JsonParser::parseAnythingTo(JsonVariant &destination) {
       destination = parseString();
       break;
   }
+
+  _nestingLimit++;
 }
 
 JsonArray &JsonParser::parseArray() {

src/JsonBuffer.cpp

@@ -26,12 +26,12 @@ JsonObject &JsonBuffer::createObject() {
   return JsonObject::invalid();
 }
 
-JsonArray &JsonBuffer::parseArray(char *json) {
+JsonArray &JsonBuffer::parseArray(char *json, uint8_t nestingLimit) {
-  JsonParser parser(this, json);
+  JsonParser parser(this, json, nestingLimit);
   return parser.parseArray();
 }
 
-JsonObject &JsonBuffer::parseObject(char *json) {
+JsonObject &JsonBuffer::parseObject(char *json, uint8_t nestingLimit) {
-  JsonParser parser(this, json);
+  JsonParser parser(this, json, nestingLimit);
   return parser.parseObject();
 }

test/JsonParser_NestingLimit_Tests.cpp

@@ -0,0 +1,88 @@
+// Copyright Benoit Blanchon 2014
+// MIT License
+//
+// Arduino JSON library
+// https://github.com/bblanchon/ArduinoJson
+
+#include <gtest/gtest.h>
+#include <ArduinoJson/JsonArray.hpp>
+#include <ArduinoJson/JsonObject.hpp>
+#include <ArduinoJson/StaticJsonBuffer.hpp>
+
+using namespace ArduinoJson;
+
+class JsonParser_NestingLimit_Tests : public testing::Test {
+ protected:
+  void whenNestingLimitIs(uint8_t nestingLimit) {
+    _nestingLimit = nestingLimit;
+  }
+
+  void parseArrayMustFail(const char *json) {
+    ASSERT_FALSE(tryParseArray(json));
+  }
+
+  void parseArrayMustSucceed(const char *json) {
+    ASSERT_TRUE(tryParseArray(json));
+  }
+
+  void parseObjectMustFail(const char *json) {
+    ASSERT_FALSE(tryParseObject(json));
+  }
+
+  void parseObjectMustSucceed(const char *json) {
+    ASSERT_TRUE(tryParseObject(json));
+  }
+
+ private:
+  bool tryParseArray(const char *json) {
+    StaticJsonBuffer<256> buffer;
+    char s[256];
+    strcpy(s, json);
+    return buffer.parseArray(s, _nestingLimit).success();
+  }
+
+  bool tryParseObject(const char *json) {
+    StaticJsonBuffer<256> buffer;
+    char s[256];
+    strcpy(s, json);
+    return buffer.parseObject(s, _nestingLimit).success();
+  }
+
+  uint8_t _nestingLimit;
+};
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseArrayWithNestingLimit0) {
+  whenNestingLimitIs(0);
+  parseArrayMustSucceed("[]");
+  parseArrayMustFail("[[]]");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseArrayWithNestingLimit1) {
+  whenNestingLimitIs(1);
+  parseArrayMustSucceed("[[]]");
+  parseArrayMustFail("[[[]]]");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseArrayWithNestingLimit2) {
+  whenNestingLimitIs(2);
+  parseArrayMustSucceed("[[[]]]");
+  parseArrayMustFail("[[[[]]]]");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseObjectWithNestingLimit0) {
+  whenNestingLimitIs(0);
+  parseObjectMustSucceed("{}");
+  parseObjectMustFail("{\"key\":{}}");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseObjectWithNestingLimit1) {
+  whenNestingLimitIs(1);
+  parseObjectMustSucceed("{\"key\":{}}");
+  parseObjectMustFail("{\"key\":{\"key\":{}}}");
+}
+
+TEST_F(JsonParser_NestingLimit_Tests, ParseObjectWithNestingLimit2) {
+  whenNestingLimitIs(2);
+  parseObjectMustSucceed("{\"key\":{\"key\":{}}}");
+  parseObjectMustFail("{\"key\":{\"key\":{\"key\":{}}}}");
+}