fix: parse large file with resolve option set to true

Author: daniel-kmiecik

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java

@@ -18,6 +18,8 @@
 import io.swagger.v3.parser.util.RemoteUrl;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.LoggerFactory;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.Yaml;
 
 import java.util.HashMap;
 import java.util.HashSet;
@@ -35,6 +37,8 @@ public class ReferenceVisitor extends AbstractVisitor {
     protected Reference reference;
     protected DereferencerContext context;
     private PermittedUrlsChecker permittedUrlsChecker;
+    private final LoaderOptions loaderOptions;
+
 
     public ReferenceVisitor(
             Reference reference,
@@ -46,6 +50,7 @@ public ReferenceVisitor(
         this.visited = visited;
         this.visitedMap = visitedMap;
         this.context = null;
+        this.loaderOptions = new LoaderOptions();
     }
 
     public ReferenceVisitor(
@@ -61,6 +66,7 @@ public ReferenceVisitor(
         this.context = context;
         this.permittedUrlsChecker = new PermittedUrlsChecker(context.getParseOptions().getRemoteRefAllowList(),
                 context.getParseOptions().getRemoteRefBlockList());
+        this.loaderOptions = new LoaderOptions();
     }
 
     public String toBaseURI(String uri) throws Exception{
@@ -301,7 +307,25 @@ public JsonNode findAnchor(JsonNode root, String anchor) {
 
     public JsonNode deserializeIntoTree(String content) throws Exception {
         boolean isJson = content.trim().startsWith("{");
-        return isJson ? Json31.mapper().readTree(content) : Yaml31.mapper().readTree(content);
+        if (isJson) {
+            return Json31.mapper().readTree(content);
+        }
+        Yaml yaml = getYaml();
+
+        Object yamlObject = yaml.load(content);
+        return Yaml31.mapper().valueToTree(yamlObject);
+    }
+
+    private Yaml getYaml() {
+        Yaml yaml;
+        String yamlCodePoints = System.getProperty("maxYamlCodePoints");
+        if (yamlCodePoints != null && !yamlCodePoints.isEmpty() && StringUtils.isNumeric(yamlCodePoints)) {
+            loaderOptions.setCodePointLimit(Integer.parseInt(yamlCodePoints));
+            yaml = new Yaml(loaderOptions);
+        } else {
+            yaml = new Yaml();
+        }
+        return yaml;
     }
 
     public JsonNode parse(String absoluteUri, List<AuthorizationValue> auths) throws Exception {

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/DeserializationUtils.java

@@ -41,7 +41,6 @@ public static class Options {
         private Long maxYamlReferences = System.getProperty("maxYamlReferences") == null ? 10000000L : Long.parseLong(System.getProperty("maxYamlReferences"));
         private boolean validateYamlInput = System.getProperty("validateYamlInput") == null || Boolean.parseBoolean(System.getProperty("validateYamlInput"));
         private boolean yamlCycleCheck = System.getProperty("yamlCycleCheck") == null || Boolean.parseBoolean(System.getProperty("yamlCycleCheck"));
-        private Integer maxYamlCodePoints = System.getProperty("maxYamlCodePoints") == null ? 3 * 1024 * 1024 : Integer.parseInt(System.getProperty("maxYamlCodePoints"));
         private Integer maxYamlAliasesForCollections = System.getProperty("maxYamlAliasesForCollections") == null ? Integer.MAX_VALUE : Integer.parseInt(System.getProperty("maxYamlAliasesForCollections"));
         private boolean yamlAllowRecursiveKeys = System.getProperty("yamlAllowRecursiveKeys") == null || Boolean.parseBoolean(System.getProperty("yamlAllowRecursiveKeys"));
 
@@ -79,11 +78,7 @@ public void setYamlCycleCheck(boolean yamlCycleCheck) {
         }
 
         public Integer getMaxYamlCodePoints() {
-          return maxYamlCodePoints;
-        }
-
-        public void setMaxYamlCodePoints(Integer maxYamlCodePoints) {
-          this.maxYamlCodePoints = maxYamlCodePoints;
+          return System.getProperty("maxYamlCodePoints") == null ? 3 * 1024 * 1024 : Integer.parseInt(System.getProperty("maxYamlCodePoints"));
         }
 
         public Integer getMaxYamlAliasesForCollections() {
@@ -103,7 +98,7 @@ public void setYamlAllowRecursiveKeys(boolean yamlAllowRecursiveKeys) {
         }
     }
 
-    private static Options options = new Options();
+    private static final Options options = new Options();
 
     private static final Logger LOGGER = LoggerFactory.getLogger(DeserializationUtils.class);
 
@@ -145,7 +140,6 @@ protected void addImplicitResolvers() {
             addImplicitResolver(Tag.MERGE, MERGE, "<");
             addImplicitResolver(Tag.NULL, NULL, "~nN\0");
             addImplicitResolver(Tag.NULL, EMPTY, null);
-            // addImplicitResolver(Tag.TIMESTAMP, TIMESTAMP, "0123456789");
         }
     }
 
@@ -249,15 +243,15 @@ public static JsonNode readYamlTree(String contents, ParseOptions parseOptions,
             return Json.mapper().convertValue(yaml.load(contents), JsonNode.class);
         }
         try {
-            org.yaml.snakeyaml.Yaml yaml = null;
+            org.yaml.snakeyaml.Yaml yaml;
             if (options.isValidateYamlInput()) {
                 yaml = buildSnakeYaml(new CustomSnakeYamlConstructor());
             } else {
                 yaml = buildSnakeYaml(new SafeConstructor(buildLoaderOptions()));
             }
             Object o = yaml.load(contents);
             if (options.isValidateYamlInput()) {
-                boolean res = exceedsLimits(o, null, new Integer(0), new IdentityHashMap<Object, Long>(), deserializationUtilsResult);
+                boolean res = exceedsLimits(o, null, 0, new IdentityHashMap<>(), deserializationUtilsResult);
                 if (res) {
                     LOGGER.warn("Error converting snake-parsed yaml to JsonNode");
                     return getYaml30Mapper().readTree(contents);
@@ -270,8 +264,8 @@ public static JsonNode readYamlTree(String contents, ParseOptions parseOptions,
                 //
             }
             return Json.mapper().convertValue(o, JsonNode.class);
-        } catch (Throwable e) {
-            LOGGER.warn("Error snake-parsing yaml content", e);
+        } catch (Exception e) {
+            LOGGER.warn(e.getMessage(), e);
             if (deserializationUtilsResult != null) {
                 deserializationUtilsResult.message(e.getMessage());
             }
@@ -302,8 +296,7 @@ public static org.yaml.snakeyaml.Yaml buildSnakeYaml(BaseConstructor constructor
         }
         try {
             LoaderOptions loaderOptions = buildLoaderOptions();
-            org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml(constructor, new Representer(new DumperOptions()), new DumperOptions(), loaderOptions, new CustomResolver());
-            return yaml;
+            return new org.yaml.snakeyaml.Yaml(constructor, new Representer(new DumperOptions()), new DumperOptions(), loaderOptions, new CustomResolver());
         } catch (Exception e) {
             //
             LOGGER.error("error building snakeYaml", e);
@@ -479,8 +472,8 @@ public Object getSingleData(Class<?> type) {
                 throw new SnakeException("StackOverflow safe-checking yaml content (maxDepth " + options.getMaxYamlDepth() + ")", e);
             } catch (DuplicateKeyException e) {
                 throw new SnakeException(e.getProblem().replace("found duplicate key", "Duplicate field"));
-            } catch (Throwable e) {
-                throw new SnakeException("Exception safe-checking yaml content  (maxDepth " + options.getMaxYamlDepth() + ", maxYamlAliasesForCollections " + options.getMaxYamlAliasesForCollections() + ")", e);
+            } catch (Exception e) {
+                throw new SnakeException(e.getMessage() + "; Max code points: " + options.getMaxYamlCodePoints(), e);
             }
         }
     }

modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/reference/ReferenceVisitorTest.java

@@ -0,0 +1,64 @@
+package io.swagger.v3.parser.reference;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import org.testng.annotations.Test;
+import org.yaml.snakeyaml.error.YAMLException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.Assert.assertFalse;
+import static org.testng.Assert.assertNotNull;
+
+public class ReferenceVisitorTest {
+
+    @Test
+    public void largeFileShouldBeParsedByJacksonLibraryWhenCodeLimitIsSet() throws Exception {
+        System.setProperty("maxYamlCodePoints", "10000000");
+        ReferenceVisitor visitor = new ReferenceVisitor(null, null, null, null);
+        String resourceName = "/issue2059/largeFile.yaml";
+        String content = readResourceAsString(resourceName);
+
+        JsonNode jsonNode = visitor.deserializeIntoTree(content);
+
+        assertNotNull(content);
+        assertFalse(content.isEmpty());
+        assertNotNull(jsonNode);
+        System.clearProperty("maxYamlCodePoints");
+    }
+
+    @Test
+    public void largeFileShouldNotBeParsedByJacksonLibraryWhenCodeLimitIsNotSet() throws Exception {
+        ReferenceVisitor visitor = new ReferenceVisitor(null, null, null, null);
+        String resourceName = "/issue2059/largeFile.yaml";
+        String content = readResourceAsString(resourceName);
+
+        try {
+            visitor.deserializeIntoTree(content);
+            // Fail if no exception is thrown
+            org.testng.Assert.fail("Expected YAMLException was not thrown");
+        } catch (YAMLException ex) {
+            org.testng.Assert.assertTrue(
+                    ex.getMessage() != null &&
+                            ex.getMessage().contains("The incoming YAML document exceeds the limit: 3145728 code points."),
+                    "Unexpected YAMLException message: " + ex.getMessage()
+            );
+        }
+    }
+
+    private String readResourceAsString(String resourceName) throws IOException {
+        try (InputStream is = this.getClass().getResourceAsStream(resourceName)) {
+            if (is == null) {
+                throw new IOException("Resource not found: " + resourceName);
+            }
+            java.io.ByteArrayOutputStream buffer = new java.io.ByteArrayOutputStream();
+            byte[] data = new byte[4096];
+            int nRead;
+            while ((nRead = is.read(data, 0, data.length)) != -1) {
+                buffer.write(data, 0, nRead);
+            }
+            return new String(buffer.toByteArray(), StandardCharsets.UTF_8);
+        }
+    }
+}