From c21d8545e58b2ef2aa16094a09b13ff92adef15c Mon Sep 17 00:00:00 2001
From: Christopher Cudennec <christopher.cudennec@otto.de>
Date: Fri, 7 Feb 2025 13:46:48 +0100
Subject: [PATCH] fix CVE-2024-57699 for predefined parsers

---
 README.md                                     |  6 +-
 .../net/minidev/json/parser/JSONParser.java   |  6 +-
 .../minidev/json/test/TestCVE202457699.java   | 56 +++++++++++++++++++
 3 files changed, 64 insertions(+), 4 deletions(-)
 create mode 100644 json-smart/src/test/java/net/minidev/json/test/TestCVE202457699.java

diff --git a/README.md b/README.md
index 51bf1e9..45945a2 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,10 @@ So I do not use my json-smart anymore. I had fun with this project. If you want
 
 # Changelog
 
+## *V 2.5.2* (2025-02-07)
+
+* Fix CVE-2024-57699 for predefined parsers. [PR 233](https://github.com/netplex/json-smart-v2/pull/233)
+
 ### *V 2.5.1* (2024-03-14)
 
 * Bump all dependencies.
@@ -122,4 +126,4 @@ So I do not use my json-smart anymore. I had fun with this project. If you want
 
 ### *V 2.0-RC1* (2012-02-18)
   * speed improvement in POJO manipulation
-  * add JSONStyle.LT_COMPRESS predefined generate strct json, but ignoring / escapement.
+  * add JSONStyle.LT_COMPRESS predefined generate strct json, but ignoring / escapement.
\ No newline at end of file
diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParser.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParser.java
index 7a46065..e33015f 100644
--- a/json-smart/src/main/java/net/minidev/json/parser/JSONParser.java
+++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParser.java
@@ -115,7 +115,7 @@ public class JSONParser {
 	 * 
 	 * @since 1.0.6
 	 */
-	public final static int MODE_RFC4627 = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_SPACE;
+	public final static int MODE_RFC4627 = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_SPACE | LIMIT_JSON_DEPTH;
 	/**
 	 * Parse Object like json-simple
 	 * 
@@ -123,13 +123,13 @@ public class JSONParser {
 	 * 
 	 * @since 1.0.7
 	 */
-	public final static int MODE_JSON_SIMPLE = ACCEPT_USELESS_COMMA | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_DATA | ACCEPT_TAILLING_SPACE | REJECT_127_CHAR | BIG_DIGIT_UNRESTRICTED;
+	public final static int MODE_JSON_SIMPLE = ACCEPT_USELESS_COMMA | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_DATA | ACCEPT_TAILLING_SPACE | REJECT_127_CHAR | BIG_DIGIT_UNRESTRICTED | LIMIT_JSON_DEPTH;
 	/**
 	 * Strictest parsing mode
 	 * 
 	 * @since 2.0.1
 	 */
-	public final static int MODE_STRICTEST = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | REJECT_127_CHAR;
+	public final static int MODE_STRICTEST = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | REJECT_127_CHAR | LIMIT_JSON_DEPTH;
 	/**
 	 * Default json-smart processing mode
 	 */
diff --git a/json-smart/src/test/java/net/minidev/json/test/TestCVE202457699.java b/json-smart/src/test/java/net/minidev/json/test/TestCVE202457699.java
new file mode 100644
index 0000000..afd0d9e
--- /dev/null
+++ b/json-smart/src/test/java/net/minidev/json/test/TestCVE202457699.java
@@ -0,0 +1,56 @@
+package net.minidev.json.test;
+
+import net.minidev.json.parser.JSONParser;
+import net.minidev.json.parser.ParseException;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class TestCVE202457699 {
+
+    private static final String MALICIOUS_STRING = createMaliciousString();
+
+    @Test
+    public void jsonSimpleParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_JSON_SIMPLE);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void strictestParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_STRICTEST);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void rfc4627ParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_RFC4627);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void permissiveParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_PERMISSIVE);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    private static String createMaliciousString() {
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < 10000 ; i++) {
+            sb.append("{\"a\":");
+        }
+        sb.append("1");
+        for (int i = 0; i < 10000 ; i++) {
+            sb.append("}");
+        }
+        return sb.toString();
+    }
+}