Make Object and JsonElement deserialization iterative

Often when Object and JsonElement are deserialized the format of the JSON
data is unknown and it might come from an untrusted source. To avoid a
StackOverflowError from maliciously crafted JSON, deserialize Object and
JsonElement iteratively instead of recursively.

Concept based on FasterXML/jackson-databind@51fd2fa
But implementation is not based on it.

Author: Marcono1234

gson/src/main/java/com/google/gson/internal/bind/ObjectTypeAdapter.java

@@ -27,6 +27,7 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
@@ -51,42 +52,97 @@ public final class ObjectTypeAdapter extends TypeAdapter<Object> {
     this.gson = gson;
   }
 
-  @Override public Object read(JsonReader in) throws IOException {
-    JsonToken token = in.peek();
-    switch (token) {
-    case BEGIN_ARRAY:
-      List<Object> list = new ArrayList<Object>();
+  /**
+   * Tries to begin reading a JSON array or JSON object, returning {@code null} if
+   * the next element is neither of those.
+   */
+  private Object tryBeginNesting(JsonReader in, JsonToken peeked) throws IOException {
+    if (peeked == JsonToken.BEGIN_ARRAY) {
       in.beginArray();
-      while (in.hasNext()) {
-        list.add(read(in));
-      }
-      in.endArray();
-      return list;
-
-    case BEGIN_OBJECT:
-      Map<String, Object> map = new LinkedTreeMap<String, Object>();
+      return new ArrayList<Object>();
+    } else if (peeked == JsonToken.BEGIN_OBJECT) {
       in.beginObject();
-      while (in.hasNext()) {
-        map.put(in.nextName(), read(in));
-      }
-      in.endObject();
-      return map;
+      return new LinkedTreeMap<String, Object>();
+    } else {
+      return null;
+    }
+  }
 
+  /** Reads an {@code Object} which cannot have any nested elements */
+  private Object readTerminal(JsonReader in, JsonToken peeked) throws IOException {
+    switch (peeked) {
     case STRING:
       return in.nextString();
-
     case NUMBER:
       return in.nextDouble();
-
     case BOOLEAN:
       return in.nextBoolean();
-
     case NULL:
       in.nextNull();
       return null;
-
     default:
-      throw new IllegalStateException();
+      // When read(JsonReader) is called with JsonReader in invalid state
+      throw new IllegalStateException("Unexpected token: " + peeked);
+    }
+  }
+
+  @Override public Object read(JsonReader in) throws IOException {
+    // Either List or Map
+    Object current;
+    JsonToken peeked = in.peek();
+
+    current = tryBeginNesting(in, peeked);
+    if (current == null) {
+      return readTerminal(in, peeked);
+    }
+
+    LinkedList<Object> stack = new LinkedList<Object>();
+
+    while (true) {
+      while (in.hasNext()) {
+        String name = null;
+        // Name is only used for JSON object members
+        if (current instanceof Map) {
+          name = in.nextName();
+        }
+
+        peeked = in.peek();
+        Object value = tryBeginNesting(in, peeked);
+        boolean isNesting = value != null;
+
+        if (value == null) {
+          value = readTerminal(in, peeked);
+        }
+
+        if (current instanceof List) {
+          @SuppressWarnings("unchecked")
+          List<Object> list = (List<Object>) current;
+          list.add(value);
+        } else {
+          @SuppressWarnings("unchecked")
+          Map<String, Object> map = (Map<String, Object>) current;
+          map.put(name, value);
+        }
+
+        if (isNesting) {
+          stack.addLast(current);
+          current = value;
+        }
+      }
+
+      // End current element
+      if (current instanceof List) {
+        in.endArray();
+      } else {
+        in.endObject();
+      }
+
+      if (stack.isEmpty()) {
+        return current;
+      } else {
+        // Continue with enclosing element
+        current = stack.removeLast();
+      }
     }
   }
 

gson/src/main/java/com/google/gson/internal/bind/TypeAdapters.java

@@ -31,6 +31,7 @@
 import java.util.Date;
 import java.util.GregorianCalendar;
 import java.util.HashMap;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -406,7 +407,7 @@ public void write(JsonWriter out, String value) throws IOException {
       out.value(value);
     }
   };
-  
+
   public static final TypeAdapter<BigDecimal> BIG_DECIMAL = new TypeAdapter<BigDecimal>() {
     @Override public BigDecimal read(JsonReader in) throws IOException {
       if (in.peek() == JsonToken.NULL) {
@@ -424,7 +425,7 @@ public void write(JsonWriter out, String value) throws IOException {
       out.value(value);
     }
   };
-  
+
   public static final TypeAdapter<BigInteger> BIG_INTEGER = new TypeAdapter<BigInteger>() {
     @Override public BigInteger read(JsonReader in) throws IOException {
       if (in.peek() == JsonToken.NULL) {
@@ -696,8 +697,25 @@ public void write(JsonWriter out, Locale value) throws IOException {
   public static final TypeAdapterFactory LOCALE_FACTORY = newFactory(Locale.class, LOCALE);
 
   public static final TypeAdapter<JsonElement> JSON_ELEMENT = new TypeAdapter<JsonElement>() {
-    @Override public JsonElement read(JsonReader in) throws IOException {
-      switch (in.peek()) {
+    /**
+     * Tries to begin reading a JSON array or JSON object, returning {@code null} if
+     * the next element is neither of those.
+     */
+    private JsonElement tryBeginNesting(JsonReader in, JsonToken peeked) throws IOException {
+      if (peeked == JsonToken.BEGIN_ARRAY) {
+        in.beginArray();
+        return new JsonArray();
+      } else if (peeked == JsonToken.BEGIN_OBJECT) {
+        in.beginObject();
+        return new JsonObject();
+      } else {
+        return null;
+      }
+    }
+
+    /** Reads a {@link JsonElement} which cannot have any nested elements */
+    private JsonElement readTerminal(JsonReader in, JsonToken peeked) throws IOException {
+      switch (peeked) {
       case STRING:
         return new JsonPrimitive(in.nextString());
       case NUMBER:
@@ -708,28 +726,65 @@ public void write(JsonWriter out, Locale value) throws IOException {
       case NULL:
         in.nextNull();
         return JsonNull.INSTANCE;
-      case BEGIN_ARRAY:
-        JsonArray array = new JsonArray();
-        in.beginArray();
+      default:
+        // When read(JsonReader) is called with JsonReader in invalid state
+        throw new IllegalStateException("Unexpected token: " + peeked);
+      }
+    }
+
+    @Override public JsonElement read(JsonReader in) throws IOException {
+      // Either JsonArray or JsonObject
+      JsonElement current;
+      JsonToken peeked = in.peek();
+
+      current = tryBeginNesting(in, peeked);
+      if (current == null) {
+        return readTerminal(in, peeked);
+      }
+
+      LinkedList<JsonElement> stack = new LinkedList<JsonElement>();
+
+      while (true) {
         while (in.hasNext()) {
-          array.add(read(in));
+          String name = null;
+          // Name is only used for JSON object members
+          if (current instanceof JsonObject) {
+            name = in.nextName();
+          }
+
+          peeked = in.peek();
+          JsonElement value = tryBeginNesting(in, peeked);
+          boolean isNesting = value != null;
+
+          if (value == null) {
+            value = readTerminal(in, peeked);
+          }
+
+          if (current instanceof JsonArray) {
+            ((JsonArray) current).add(value);
+          } else {
+            ((JsonObject) current).add(name, value);
+          }
+
+          if (isNesting) {
+            stack.addLast(current);
+            current = value;
+          }
         }
-        in.endArray();
-        return array;
-      case BEGIN_OBJECT:
-        JsonObject object = new JsonObject();
-        in.beginObject();
-        while (in.hasNext()) {
-          object.add(in.nextName(), read(in));
+
+        // End current element
+        if (current instanceof JsonArray) {
+          in.endArray();
+        } else {
+          in.endObject();
+        }
+
+        if (stack.isEmpty()) {
+          return current;
+        } else {
+          // Continue with enclosing element
+          current = stack.removeLast();
         }
-        in.endObject();
-        return object;
-      case END_DOCUMENT:
-      case NAME:
-      case END_OBJECT:
-      case END_ARRAY:
-      default:
-        throw new IllegalArgumentException();
       }
     }
 

gson/src/test/java/com/google/gson/JsonParserParameterizedTest.java

@@ -0,0 +1,42 @@
+package com.google.gson;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.util.Arrays;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+@RunWith(Parameterized.class)
+public class JsonParserParameterizedTest {
+  @Parameters
+  public static Iterable<String> data() {
+    return Arrays.asList(
+      "[]",
+      "{}",
+      "null",
+      "1.0",
+      "true",
+      "\"string\"",
+      "[true,1.0,null,{},2.0,{\"a\":[false]},[3.0,\"test\"],4.0]",
+      "{\"\":1.0,\"a\":true,\"b\":null,\"c\":[],\"d\":{\"a1\":2.0,\"b2\":[true,{\"a3\":3.0}]},\"e\":[{\"f\":4.0},\"test\"]}"
+    );
+  }
+
+  private final TypeAdapter<JsonElement> adapter = new Gson().getAdapter(JsonElement.class);
+  @Parameter
+  public String json;
+
+  @Test
+  public void testParse() throws IOException {
+    JsonElement deserialized = JsonParser.parseString(json);
+    String actualSerialized = adapter.toJson(deserialized);
+
+    // Serialized JsonElement should be the same as original JSON
+    assertEquals(json, actualSerialized);
+  }
+}

gson/src/test/java/com/google/gson/JsonParserTest.java

@@ -18,8 +18,8 @@
 
 import java.io.CharArrayReader;
 import java.io.CharArrayWriter;
+import java.io.IOException;
 import java.io.StringReader;
-
 import junit.framework.TestCase;
 
 import com.google.gson.common.TestTypes.BagOfPrimitives;
@@ -90,6 +90,54 @@ public void testParseMixedArray() {
     assertEquals("stringValue", array.get(2).getAsString());
   }
 
+  private static String repeat(String s, int times) {
+    StringBuilder stringBuilder = new StringBuilder(s.length() * times);
+    for (int i = 0; i < times; i++) {
+      stringBuilder.append(s);
+    }
+    return stringBuilder.toString();
+  }
+
+  /** Deeply nested JSON arrays should not cause {@link StackOverflowError} */
+  public void testParseDeeplyNestedArrays() throws IOException {
+    int times = 10000;
+    // [[[ ... ]]]
+    String json = repeat("[", times) + repeat("]", times);
+
+    int actualTimes = 0;
+    JsonArray current = JsonParser.parseString(json).getAsJsonArray();
+    while (true) {
+      actualTimes++;
+      if (current.isEmpty()) {
+        break;
+      }
+      assertEquals(1, current.size());
+      current = current.get(0).getAsJsonArray();
+    }
+    assertEquals(times, actualTimes);
+  }
+
+  /** Deeply nested JSON objects should not cause {@link StackOverflowError} */
+  public void testParseDeeplyNestedObjects() throws IOException {
+    int times = 10000;
+    // {"a":{"a": ... {"a":null} ... }}
+    String json = repeat("{\"a\":", times) + "null" + repeat("}", times);
+
+    int actualTimes = 0;
+    JsonObject current = JsonParser.parseString(json).getAsJsonObject();
+    while (true) {
+      assertEquals(1, current.size());
+      actualTimes++;
+      JsonElement next = current.get("a");
+      if (next.isJsonNull()) {
+        break;
+      } else {
+        current = next.getAsJsonObject();
+      }
+    }
+    assertEquals(times, actualTimes);
+  }
+
   public void testParseReader() {
     StringReader reader = new StringReader("{a:10,b:'c'}");
     JsonElement e = JsonParser.parseReader(reader);