diff options
author | Johannes Rudolph <johannes.rudolph@gmail.com> | 2018-11-06 16:19:13 +0100 |
---|---|---|
committer | Johannes Rudolph <johannes.rudolph@gmail.com> | 2018-11-07 15:04:41 +0100 |
commit | a55875309b804f10c22dffb1a37358518d8ac48d (patch) | |
tree | 1e863a869986974b82b87a590df2ee30a21e2de8 /src/main/scala/spray/json/JsonParserSettings.scala | |
parent | 3ccb0768cb5ccb0c4b577742ee7f1ec7d3b9c83f (diff) | |
download | spray-json-a55875309b804f10c22dffb1a37358518d8ac48d.tar.gz spray-json-a55875309b804f10c22dffb1a37358518d8ac48d.tar.bz2 spray-json-a55875309b804f10c22dffb1a37358518d8ac48d.zip |
CVE-2018-18855 Fix uncontrolled recursion in the JsonParser by imposing a configurable limit on the depth, fixes #286
Diffstat (limited to 'src/main/scala/spray/json/JsonParserSettings.scala')
-rw-r--r-- | src/main/scala/spray/json/JsonParserSettings.scala | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/main/scala/spray/json/JsonParserSettings.scala b/src/main/scala/spray/json/JsonParserSettings.scala index 31692fd..d07075e 100644 --- a/src/main/scala/spray/json/JsonParserSettings.scala +++ b/src/main/scala/spray/json/JsonParserSettings.scala @@ -1,10 +1,27 @@ package spray.json trait JsonParserSettings { + /** + * The JsonParser uses recursive decent parsing that keeps intermediate values on the stack. To prevent + * StackOverflowExceptions a limit is enforced on the depth of the parsed JSON structure. + * + * As a guideline we tested that one level of depth needs about 300 bytes of stack space. + * + * The default is a depth of 1000. + */ + def maxDepth: Int + /** + * Return a copy of this settings object with the `maxDepth` setting changed to the new value. + */ + def withMaxDepth(newValue: Int): JsonParserSettings } object JsonParserSettings { val default: JsonParserSettings = SettingsImpl() - private case class SettingsImpl() extends JsonParserSettings + private case class SettingsImpl( + maxDepth: Int = 1000 + ) extends JsonParserSettings { + override def withMaxDepth(newValue: Int): JsonParserSettings = copy(maxDepth = newValue) + } }
\ No newline at end of file |