feat(common,framework): cap JSON parse depth and token count

Author: halibobo1205

common/src/main/java/org/tron/common/parameter/CommonParameter.java

@@ -504,6 +504,12 @@ public class CommonParameter {
   public int pBFTHttpPort;
   @Getter
   @Setter
+  public int maxNestingDepth = 100;
+  @Getter
+  @Setter
+  public int maxTokenCount = 100_000;
+  @Getter
+  @Setter
   public long pBFTExpireNum; // clearParam: 20
   @Getter
   @Setter

common/src/main/java/org/tron/core/config/args/NodeConfig.java

@@ -197,6 +197,8 @@ public static class HttpConfig {
     private int fullNodePort = 8090;
     private boolean solidityEnable = true;
     private int solidityPort = 8091;
+    private int maxNestingDepth = 100;
+    private int maxTokenCount = 100_000;
     // PBFT fields — handled manually (same naming issue as CommitteeConfig)
     // Default must match CommonParameter.pBFTHttpEnable = true
     @Getter(lombok.AccessLevel.NONE)

common/src/main/java/org/tron/json/JSON.java

@@ -20,7 +20,7 @@
 @Deprecated
 public final class JSON {
 
-  public static final ObjectMapper MAPPER = JsonMapper.builder()
+  static final ObjectMapper MAPPER = JsonMapper.builder()
       // Fastjson Feature.AllowUnQuotedFieldNames (default ON)
       .enable(JsonReadFeature.ALLOW_UNQUOTED_FIELD_NAMES)
       // Fastjson Feature.AllowSingleQuotes (default ON)

common/src/main/resources/reference.conf

@@ -269,6 +269,8 @@ node {
     solidityPort = 8091
     PBFTEnable = true
     PBFTPort = 8092
+    maxNestingDepth = 100
+    maxTokenCount = 100000
   }
 
   rpc {

framework/src/main/java/org/tron/core/config/args/Args.java

@@ -2,42 +2,27 @@
 
 import static java.lang.System.exit;
 import static org.tron.common.math.Maths.max;
-import static org.tron.common.math.Maths.min;
 import static org.tron.core.Constant.ADD_PRE_FIX_BYTE_MAINNET;
-import static org.tron.core.Constant.DEFAULT_PROPOSAL_EXPIRE_TIME;
-import static org.tron.core.Constant.DYNAMIC_ENERGY_INCREASE_FACTOR_RANGE;
-import static org.tron.core.Constant.DYNAMIC_ENERGY_MAX_FACTOR_RANGE;
 import static org.tron.core.Constant.ENERGY_LIMIT_IN_CONSTANT_TX;
-import static org.tron.core.Constant.MAX_PROPOSAL_EXPIRE_TIME;
-import static org.tron.core.Constant.MIN_PROPOSAL_EXPIRE_TIME;
-import static org.tron.core.config.Parameter.ChainConstant.BLOCK_PRODUCE_TIMEOUT_PERCENT;
-import static org.tron.core.config.Parameter.ChainConstant.MAX_ACTIVE_WITNESS_NUM;
-import static org.tron.core.exception.TronError.ErrCode.PARAMETER_INIT;
 
 import com.beust.jcommander.JCommander;
 import com.beust.jcommander.ParameterDescription;
+import com.fasterxml.jackson.core.StreamReadConstraints;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.typesafe.config.Config;
-import com.typesafe.config.ConfigObject;
-import io.grpc.internal.GrpcUtil;
-import io.grpc.netty.NettyServerBuilder;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
-import java.util.Optional;
 import java.util.Properties;
 import java.util.Set;
 import java.util.concurrent.BlockingQueue;
@@ -69,8 +54,6 @@
 import org.tron.core.Constant;
 import org.tron.core.Wallet;
 import org.tron.core.config.Configuration;
-import org.tron.core.config.Parameter.NetConstants;
-import org.tron.core.config.Parameter.NodeConstant;
 import org.tron.core.exception.TronError;
 import org.tron.core.store.AccountStore;
 import org.tron.p2p.P2pConfig;
@@ -573,6 +556,12 @@ private static void applyNodeConfig(NodeConfig nc) {
     PARAMETER.fullNodeHttpPort = http.getFullNodePort();
     PARAMETER.solidityHttpPort = http.getSolidityPort();
     PARAMETER.pBFTHttpPort = http.getPBFTPort();
+    PARAMETER.maxNestingDepth = http.getMaxNestingDepth();
+    PARAMETER.maxTokenCount = http.getMaxTokenCount();
+    StreamReadConstraints.overrideDefaultStreamReadConstraints(StreamReadConstraints.builder()
+        .maxNestingDepth(http.getMaxNestingDepth())
+        .maxTokenCount(http.getMaxTokenCount())
+        .build());
 
     // ---- JSON-RPC sub-bean ----
     NodeConfig.JsonRpcConfig jsonrpc = nc.getJsonrpc();

framework/src/test/java/org/tron/core/config/args/ArgsTest.java

@@ -15,6 +15,8 @@
 
 package org.tron.core.config.args;
 
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.StreamReadConstraints;
 import com.google.common.collect.Lists;
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigFactory;
@@ -38,7 +40,6 @@
 import org.tron.common.utils.DecodeUtil;
 import org.tron.common.utils.LocalWitnesses;
 import org.tron.common.utils.PublicMethod;
-import org.tron.core.config.Configuration;
 
 @Slf4j
 public class ArgsTest {
@@ -404,6 +405,52 @@ public void testFetchBlockTimeoutClampedAboveMax() {
     Args.clearParam();
   }
 
+
+  @Test
+  public void testHttpJsonParseConstraints() {
+    Map<String, String> override = new HashMap<>();
+    override.put("storage.db.directory", "database");
+    Config config = ConfigFactory.parseMap(override)
+        .withFallback(ConfigFactory.defaultReference());
+    Args.applyConfigParams(config);
+
+    Assert.assertEquals(100, Args.getInstance().getMaxNestingDepth());
+    Assert.assertEquals(100_000, Args.getInstance().getMaxTokenCount());
+    Args.clearParam();
+  }
+
+  @Test
+  public void testHttpJsonParseConstraintsApplied() {
+    StreamReadConstraints original = StreamReadConstraints.defaults();
+    try {
+      Map<String, String> override = new HashMap<>();
+      override.put("storage.db.directory", "database");
+      Config config = ConfigFactory.parseMap(override)
+          .withFallback(ConfigFactory.defaultReference());
+      Args.applyConfigParams(config);
+      Assert.assertEquals(100, Args.getInstance().getMaxNestingDepth());
+      Assert.assertEquals(100_000, Args.getInstance().getMaxTokenCount());
+
+      StreamReadConstraints applied = new JsonFactory().streamReadConstraints();
+      Assert.assertEquals(100, applied.getMaxNestingDepth());
+      Assert.assertEquals(100_000, applied.getMaxTokenCount());
+
+      override.put("node.http.maxNestingDepth", "42");
+      override.put("node.http.maxTokenCount", "12345");
+      config = ConfigFactory.parseMap(override)
+          .withFallback(ConfigFactory.defaultReference());
+      Args.applyConfigParams(config);
+      Assert.assertEquals(42, Args.getInstance().getMaxNestingDepth());
+      Assert.assertEquals(12345, Args.getInstance().getMaxTokenCount());
+      applied = new JsonFactory().streamReadConstraints();
+      Assert.assertEquals(42, applied.getMaxNestingDepth());
+      Assert.assertEquals(12345L, applied.getMaxTokenCount());
+    } finally {
+      StreamReadConstraints.overrideDefaultStreamReadConstraints(original);
+      Args.clearParam();
+    }
+  }
+
   @Test
   public void testFetchBlockTimeoutInRangeUnchanged() {
     Map<String, String> override = new HashMap<>();

framework/src/test/java/org/tron/json/JsonTest.java

@@ -8,6 +8,10 @@
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
+import com.fasterxml.jackson.core.StreamReadConstraints;
+import com.fasterxml.jackson.core.exc.StreamConstraintsException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.util.Arrays;
@@ -361,6 +365,64 @@ public void testTypeUtilsCoercion() {
     assertEquals(7L, TypeUtils.longValue(new BigDecimal("7")));
   }
 
+  // ===========================================================================
+  // StreamReadConstraints — verify the global override actually constrains
+  // parsing. JSON.MAPPER is built once at class init (well before this test
+  // runs in the test JVM), so we exercise the override on a freshly-built
+  // mapper. In production, Args.setParam() runs before MAPPER is loaded, so
+  // MAPPER inherits the configured limits.
+  // ===========================================================================
+
+  @Test
+  public void testNestingDepthOverride() {
+    StringBuilder open = new StringBuilder();
+    StringBuilder close = new StringBuilder();
+    int depth = 20;
+    for (int i = 0; i < depth; i++) {
+      open.append("{\"a\":");
+      close.append("}");
+    }
+    String deep = open + "1" + close;
+
+    assertNotNull(JSON.parseObject(deep));
+
+    StreamReadConstraints saved = StreamReadConstraints.defaults();
+    try {
+      StreamReadConstraints.overrideDefaultStreamReadConstraints(StreamReadConstraints.builder()
+          .maxNestingDepth(10).maxTokenCount(100).build());
+      ObjectMapper fresh = JsonMapper.builder().build();
+      StreamConstraintsException e = assertThrows(StreamConstraintsException.class,
+          () -> fresh.readTree(deep));
+      assertTrue(e.getMessage().toLowerCase().contains("depth"));
+    } finally {
+      StreamReadConstraints.overrideDefaultStreamReadConstraints(saved);
+    }
+  }
+
+  @Test
+  public void testTokenCountOverride() {
+    StringBuilder sb = new StringBuilder("[0");
+    for (int i = 1; i < 200; i++) {
+      sb.append(',').append(i);
+    }
+    sb.append(']');
+    String wide = sb.toString();
+
+    assertNotNull(JSON.parseArray(wide));
+
+    StreamReadConstraints saved = StreamReadConstraints.defaults();
+    try {
+      StreamReadConstraints.overrideDefaultStreamReadConstraints(StreamReadConstraints.builder()
+          .maxNestingDepth(10).maxTokenCount(100).build());
+      ObjectMapper fresh = JsonMapper.builder().build();
+      StreamConstraintsException e = assertThrows(StreamConstraintsException.class,
+          () -> fresh.readTree(wide));
+      assertTrue(e.getMessage().toLowerCase().contains("token"));
+    } finally {
+      StreamReadConstraints.overrideDefaultStreamReadConstraints(saved);
+    }
+  }
+
   public static class Pojo {
     public String name;
   }