OutOfMemoryError parsing long field name (or string value) with UTF8StreamJsonParser

[noguespi]

Deserializing a json file containing a very long field name trigger an OOM Error. The problem is this error may crash the whole JVM.

We have no way to protect against this behavior but by limiting the global json file to be parsed (which may not be 100% effective because an attacker could send multiple files).

It would be great if we could configure UTF8StreamJsonParser to have a maximum String size so it can throws an exception when it reach a limit instead of allocating an infinite amount of memory.

Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
	at java.base/java.util.Arrays.copyOf(Arrays.java:3793)
	at com.fasterxml.jackson.core.base.ParserBase.growArrayBy(ParserBase.java:1194)
	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.parseEscapedName(UTF8StreamJsonParser.java:1978)
	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.parseLongName(UTF8StreamJsonParser.java:1872)
	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.parseMediumName2(UTF8StreamJsonParser.java:1810)
	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.parseMediumName(UTF8StreamJsonParser.java:1767)
	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._parseName(UTF8StreamJsonParser.java:1702)
	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:757)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:151)
	at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4173)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2467)
	at com.fasterxml.jackson.core.JsonParser.readValueAs(JsonParser.java:1765)

[cowtowncoder]

Yes, it would be good to start adding service-protection features to limit maximum length of various things, including property names.

[cowtowncoder]

New issue created for general processing limits, see #637. Closing this issue.