Merge branch '3.4.x'

philwebb · philwebb · commit c6c2ce2edae0 · 2025-04-22T20:00:43.000-07:00
Closes gh-45262
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/JsonValueWriter.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/JsonValueWriter.java
@@ -47,8 +47,12 @@
  */
 class JsonValueWriter {
 
+	private static final int DEFAULT_MAX_NESTING_DEPTH = 500;
+
 	private final Appendable out;
 
+	private final int maxNestingDepth;
+
 	private MemberPath path = MemberPath.ROOT;
 
 	private final Deque<JsonWriterFiltersAndProcessors> filtersAndProcessors = new ArrayDeque<>();
@@ -60,7 +64,18 @@ class JsonValueWriter {
 	 * @param out the {@link Appendable} used to receive the JSON output
 	 */
 	JsonValueWriter(Appendable out) {
+		this(out, DEFAULT_MAX_NESTING_DEPTH);
+	}
+
+	/**
+	 * Create a new {@link JsonValueWriter} instance.
+	 * @param out the {@link Appendable} used to receive the JSON output
+	 * @param maxNestingDepth the maximum allowed nesting depth for JSON objects and
+	 * arrays
+	 */
+	JsonValueWriter(Appendable out, int maxNestingDepth) {
 		this.out = out;
+		this.maxNestingDepth = maxNestingDepth;
 	}
 
 	void pushProcessors(JsonWriterFiltersAndProcessors jsonProcessors) {
@@ -115,10 +130,7 @@ else if (value instanceof WritableJson writableJson) {
 				throw new UncheckedIOException(ex);
 			}
 		}
-		else if (value instanceof Path p) {
-			writeString(p.toString());
-		}
-		else if (value instanceof Iterable<?> iterable) {
+		else if (value instanceof Iterable<?> iterable && canWriteAsArray(iterable)) {
 			writeArray(iterable::forEach);
 		}
 		else if (ObjectUtils.isArray(value)) {
@@ -135,6 +147,10 @@ else if (value instanceof Number || value instanceof Boolean) {
 		}
 	}
 
+	private <V> boolean canWriteAsArray(Iterable<?> iterable) {
+		return !(iterable instanceof Path);
+	}
+
 	/**
 	 * Start a new {@link Series} (JSON object or array).
 	 * @param series the series to start
@@ -144,6 +160,10 @@ else if (value instanceof Number || value instanceof Boolean) {
 	 */
 	void start(Series series) {
 		if (series != null) {
+			int nestingDepth = this.activeSeries.size();
+			Assert.state(nestingDepth <= this.maxNestingDepth,
+					() -> "JSON nesting depth (%s) exceeds maximum depth of %s (current path: %s)"
+						.formatted(nestingDepth, this.maxNestingDepth, this.path));
 			this.activeSeries.push(new ActiveSeries(series));
 			append(series.openChar);
 		}
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/JsonValueWriterTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/json/JsonValueWriterTests.java
@@ -18,6 +18,7 @@
 
 import java.io.File;
 import java.nio.file.Path;
+import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -253,6 +254,36 @@ void writeJavaNioPathShouldBeSerializedAsString() {
 			.isEqualTo(quoted("a\\%1$sb\\%1$sc".formatted(File.separator)));
 	}
 
+	@Test
+	void illegalStateExceptionShouldBeThrownWhenCollectionExceededNestingDepth() {
+		JsonValueWriter writer = new JsonValueWriter(new StringBuilder(), 128);
+		List<Object> list = new ArrayList<>();
+		list.add(list);
+		assertThatIllegalStateException().isThrownBy(() -> writer.write(list))
+			.withMessageStartingWith(
+					"JSON nesting depth (129) exceeds maximum depth of 128 (current path: [0][0][0][0][0][0][0][0][0][0][0][0]");
+	}
+
+	@Test
+	void illegalStateExceptionShouldBeThrownWhenMapExceededNestingDepth() {
+		JsonValueWriter writer = new JsonValueWriter(new StringBuilder(), 128);
+		Map<String, Object> map = new LinkedHashMap<>();
+		map.put("foo", Map.of("bar", map));
+		assertThatIllegalStateException().isThrownBy(() -> writer.write(map))
+			.withMessageStartingWith(
+					"JSON nesting depth (129) exceeds maximum depth of 128 (current path: foo.bar.foo.bar.foo.bar.foo");
+	}
+
+	@Test
+	void illegalStateExceptionShouldBeThrownWhenIterableExceededNestingDepth() {
+		JsonValueWriter writer = new JsonValueWriter(new StringBuilder(), 128);
+		List<Object> list = new ArrayList<>();
+		list.add(list);
+		assertThatIllegalStateException().isThrownBy(() -> writer.write((Iterable<Object>) list::iterator))
+			.withMessageStartingWith(
+					"JSON nesting depth (129) exceeds maximum depth of 128 (current path: [0][0][0][0][0][0][0][0][0][0][0][0]");
+	}
+
 	private <V> String write(V value) {
 		return doWrite((valueWriter) -> valueWriter.write(value));
 	}
