Guard against recursive data

jg-rp · Sep 18, 2023 · ea7606a · ea7606a
1 parent ad01f3c
commit ea7606a
Show file tree

Hide file tree

Showing 7 changed files with 108 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 **Breaking Changes**
 
 - Rename `JSONPathEnvironment.filterRegister` to `JSONPathEnvironment.functionRegister`.
+- Removed `JSONPathEnvironment.options` in favour of equivalent environment properties. For example, `JSONPathEnvironment.options.maxIntIndex` is now `JSONPathEnvironment.maxIntIndex`.
 
 **Fixes**
 
@@ -15,6 +16,7 @@
 **Features**
 
 - Implement [Relative JSON Pointers](https://www.ietf.org/id/draft-hha-relative-json-pointer-00.html). Use the `to(rel)` method of `JSONPointer`, where `rel` is a relative JSON pointer string and a new `JSONPointer` is returned.
+- Guard against recursive data structures by implementing the `JSONPathEnvironment.maxRecursionDepth` option. When using the recursive descent selector (`..`), if the maximum recursion depth is reached, a `JSONPathRecursionLimitError` is thrown.
 
 # Version 0.1.1
 

diff --git a/src/index.ts b/src/index.ts
@@ -12,6 +12,7 @@ export {
   JSONPathNodeList,
   JSONPathSyntaxError,
   JSONPathTypeError,
+  JSONPathRecursionLimitError,
   Token,
   TokenKind,
   Nothing,

diff --git a/src/path/environment.ts b/src/path/environment.ts
@@ -20,37 +20,74 @@ import { Token, TokenStream } from "./token";
 import { JSONValue } from "../types";
 
 /**
- *
+ * JSONPath environment options. The defaults are in compliance with JSONPath
+ * standards.
  */
 export type JSONPathEnvironmentOptions = {
   /**
+   * Indicates if the environment should to be strict about its compliance with
+   * JSONPath standards.
    *
+   * Defaults to `true`. Setting `strict` to `false` currently has no effect.
+   * If/when we add non-standard features, the environment's strictness will
+   * control their availability.
    */
-  strict: boolean;
+  strict?: boolean;
 
   /**
-   *
+   * The maximum number allowed when indexing or slicing an array. Defaults to
+   * 2**53 -1.
    */
-  maxIntIndex: number;
+  maxIntIndex?: number;
 
   /**
-   *
+   * The minimum number allowed when indexing or slicing an array. Defaults to
+   * -(2**53) -1.
    */
-  minIntIndex: number;
-};
+  minIntIndex?: number;
 
-export const defaultOptions: JSONPathEnvironmentOptions = {
-  strict: true,
-  maxIntIndex: Math.pow(2, 53) - 1,
-  minIntIndex: -Math.pow(2, 53) - 1,
+  /**
+   * The maximum number of objects and/or arrays the recursive descent selector
+   * can visit before a `JSONPathRecursionLimitError` is thrown.
+   */
+  maxRecursionDepth?: number;
 };
 
 /**
  *
  */
 export class JSONPathEnvironment {
   /**
+   * Indicates if the environment should to be strict about its compliance with
+   * JSONPath standards.
    *
+   * Defaults to `true`. Setting `strict` to `false` currently has no effect.
+   * If/when we add non-standard features, the environment's strictness will
+   * control their availability.
+   */
+  readonly strict: boolean;
+
+  /**
+   * The maximum number allowed when indexing or slicing an array. Defaults to
+   * 2**53 -1.
+   */
+  readonly maxIntIndex: number;
+
+  /**
+   * The minimum number allowed when indexing or slicing an array. Defaults to
+   * -(2**53) -1.
+   */
+  readonly minIntIndex: number;
+
+  /**
+   * The maximum number of objects and/or arrays the recursive descent selector
+   * can visit before a `JSONPathRecursionLimitError` is thrown.
+   */
+  readonly maxRecursionDepth: number;
+
+  /**
+   * A map of function names to objects implementing the {@link FilterFunction}
+   * interface. You are free to set or delete custom filter functions directly.
    */
   public functionRegister: Map<string, FilterFunction> = new Map();
 
@@ -60,7 +97,11 @@ export class JSONPathEnvironment {
    *
    * @param options -
    */
-  constructor(readonly options: JSONPathEnvironmentOptions = defaultOptions) {
+  constructor(options: JSONPathEnvironmentOptions = {}) {
+    this.strict = options.strict ?? true;
+    this.maxIntIndex = options.maxIntIndex ?? Math.pow(2, 53) - 1;
+    this.minIntIndex = options.maxIntIndex ?? -Math.pow(2, 53) - 1;
+    this.maxRecursionDepth = options.maxRecursionDepth ?? 50;
     this.parser = new Parser(this);
     this.setupFilterFunctions();
   }

diff --git a/src/path/errors.ts b/src/path/errors.ts
@@ -111,3 +111,18 @@ export class JSONPathSyntaxError extends JSONPathError {
     this.message = withErrorContext(message, token);
   }
 }
+
+/**
+ * Error thrown when the maximum recursion depth is reached.
+ */
+export class JSONPathRecursionLimitError extends JSONPathError {
+  constructor(
+    readonly message: string,
+    readonly token: Token,
+  ) {
+    super(message, token);
+    Object.setPrototypeOf(this, new.target.prototype);
+    this.name = "JSONPathRecursionLimitError";
+    this.message = withErrorContext(message, token);
+  }
+}
diff --git a/src/path/index.ts b/src/path/index.ts
@@ -23,6 +23,7 @@ export {
   JSONPathLexerError,
   JSONPathSyntaxError,
   JSONPathTypeError,
+  JSONPathRecursionLimitError,
 } from "./errors";
 
 export { Nothing } from "./types";

diff --git a/src/path/selectors.ts b/src/path/selectors.ts
@@ -1,5 +1,5 @@
 import { JSONPathEnvironment } from "./environment";
-import { JSONPathIndexError } from "./errors";
+import { JSONPathIndexError, JSONPathRecursionLimitError } from "./errors";
 import { LogicalExpression } from "./expression";
 import { JSONPathNode, JSONPathNodeList } from "./node";
 import { Token } from "./token";
@@ -74,8 +74,8 @@ export class IndexSelector extends JSONPathSelector {
   ) {
     super(environment, token);
     if (
-      index < this.environment.options.minIntIndex ||
-      index > this.environment.options.maxIntIndex
+      index < this.environment.minIntIndex ||
+      index > this.environment.maxIntIndex
     ) {
       throw new JSONPathIndexError("index out of range", this.token);
     }
@@ -151,20 +151,14 @@ export class SliceSelector extends JSONPathSelector {
     for (const index of indices) {
       if (
         index !== undefined &&
-        (index < this.environment.options.minIntIndex ||
-          index > this.environment.options.maxIntIndex)
+        (index < this.environment.minIntIndex ||
+          index > this.environment.maxIntIndex)
       ) {
         throw new JSONPathIndexError("index out of range", this.token);
       }
     }
   }
 
-  private normalizedIndex(length: number, index: number): number {
-    if (index < 0 && length >= Math.abs(index))
-      return Math.min(length + index, length - 1);
-    return Math.min(index, length - 1);
-  }
-
   // eslint-disable-next-line sonarjs/cognitive-complexity
   private slice(
     arr: JSONValue[],
@@ -263,7 +257,13 @@ export class RecursiveDescentSegment extends JSONPathSelector {
     return "..";
   }
 
-  private visit(node: JSONPathNode): JSONPathNodeList {
+  private visit(node: JSONPathNode, depth: number = 1): JSONPathNodeList {
+    if (depth >= this.environment.maxRecursionDepth) {
+      throw new JSONPathRecursionLimitError(
+        "recursion limit reached",
+        this.token,
+      );
+    }
     const rv: JSONPathNode[] = [];
     if (node.value instanceof String) return new JSONPathNodeList(rv);
     if (isArray(node.value)) {
@@ -273,7 +273,7 @@ export class RecursiveDescentSegment extends JSONPathSelector {
           node.location.concat(i),
           node.root,
         );
-        rv.push(_node, ...this.visit(_node));
+        rv.push(_node, ...this.visit(_node, depth + 1));
       }
     } else if (isObject(node.value)) {
       for (const [key, value] of Object.entries(node.value)) {
@@ -282,7 +282,7 @@ export class RecursiveDescentSegment extends JSONPathSelector {
           node.location.concat(key),
           node.root,
         );
-        rv.push(_node, ...this.visit(_node));
+        rv.push(_node, ...this.visit(_node, depth + 1));
       }
     }
     return new JSONPathNodeList(rv);

diff --git a/tests/path/errors.test.ts b/tests/path/errors.test.ts
@@ -1,6 +1,8 @@
+import { JSONValue } from "../../src";
 import { JSONPathEnvironment } from "../../src/path/environment";
 import {
   JSONPathIndexError,
+  JSONPathRecursionLimitError,
   JSONPathSyntaxError,
   JSONPathTypeError,
   UndefinedFilterFunctionError,
@@ -70,3 +72,23 @@ describe("undefined filter function", () => {
     );
   });
 });
+
+describe("recursion limit reached", () => {
+  test("recursive data", () => {
+    const env = new JSONPathEnvironment();
+    const query = "$..a";
+    const arr: JSONValue[] = [];
+    const data = { foo: arr };
+    arr.push(data);
+    expect(() => env.query(query, data)).toThrow(JSONPathRecursionLimitError);
+    expect(() => env.query(query, data)).toThrow("recursion limit reached");
+  });
+
+  test("nested data with low limit", () => {
+    const env = new JSONPathEnvironment({ maxRecursionDepth: 2 });
+    const query = "$..a";
+    const data = { foo: [{ bar: [1, 2, 3] }] };
+    expect(() => env.query(query, data)).toThrow(JSONPathRecursionLimitError);
+    expect(() => env.query(query, data)).toThrow("recursion limit reached");
+  });
+});