1616 * </li>
1717 * <li>Maximum String value length: default 20_000_000 (see {@link #DEFAULT_MAX_STRING_LEN})
1818 * </li>
19+ * <li>Maximum Property name length: default 50_000 (see {@link #DEFAULT_MAX_NAME_LEN})
20+ * </li>
1921 * <li>Maximum Nesting depth: default 1000 (see {@link #DEFAULT_MAX_DEPTH})
2022 * </li>
2123 * </ul>
@@ -45,6 +47,14 @@ public class StreamReadConstraints
4547 */
4648 public static final int DEFAULT_MAX_STRING_LEN = 20_000_000 ;
4749
50+ /**
51+ * Default setting for maximum name length: see {@link Builder#maxNameLength(int)}
52+ * for details.
53+ *
54+ * @since 2.16
55+ */
56+ public static final int DEFAULT_MAX_NAME_LEN = 50_000 ;
57+
4858 /**
4959 * Limit for the maximum magnitude of Scale of {@link java.math.BigDecimal} that can be
5060 * converted to {@link java.math.BigInteger}.
@@ -56,9 +66,11 @@ public class StreamReadConstraints
5666 protected final int _maxNestingDepth ;
5767 protected final int _maxNumLen ;
5868 protected final int _maxStringLen ;
69+ protected final int _maxNameLen ;
5970
6071 private static StreamReadConstraints DEFAULT =
61- new StreamReadConstraints (DEFAULT_MAX_DEPTH , DEFAULT_MAX_NUM_LEN , DEFAULT_MAX_STRING_LEN );
72+ new StreamReadConstraints (DEFAULT_MAX_DEPTH , DEFAULT_MAX_NUM_LEN ,
73+ DEFAULT_MAX_STRING_LEN , DEFAULT_MAX_NAME_LEN );
6274
6375 /**
6476 * Override the default StreamReadConstraints. These defaults are only used when {@link JsonFactory}
@@ -89,6 +101,7 @@ public static final class Builder {
89101 private int maxNestingDepth ;
90102 private int maxNumLen ;
91103 private int maxStringLen ;
104+ private int maxNameLen ;
92105
93106 /**
94107 * Sets the maximum nesting depth. The depth is a count of objects and arrays that have not
@@ -149,24 +162,47 @@ public Builder maxStringLength(final int maxStringLen) {
149162 return this ;
150163 }
151164
165+ /**
166+ * Sets the maximum name length (in chars or bytes, depending on input context).
167+ * The default is 50,000. This limit is not exact, the limit is applied when we increase
168+ * internal buffer sizes and an exception will happen at sizes greater than this limit. Some
169+ * text values that are a little bigger than the limit may be treated as valid but no text
170+ * values with sizes less than or equal to this limit will be treated as invalid.
171+ *
172+ * @param maxNameLen the maximum string length (in chars or bytes, depending on input context)
173+ *
174+ * @return this builder
175+ * @throws IllegalArgumentException if the maxStringLen is set to a negative value
176+ * @since 2.16.0
177+ */
178+ public Builder maxNameLength (final int maxNameLen ) {
179+ if (maxNameLen < 0 ) {
180+ throw new IllegalArgumentException ("Cannot set maxNameLen to a negative value" );
181+ }
182+ this .maxNameLen = maxNameLen ;
183+ return this ;
184+ }
185+
152186 Builder () {
153- this (DEFAULT_MAX_DEPTH , DEFAULT_MAX_NUM_LEN , DEFAULT_MAX_STRING_LEN );
187+ this (DEFAULT_MAX_DEPTH , DEFAULT_MAX_NUM_LEN , DEFAULT_MAX_STRING_LEN , DEFAULT_MAX_NAME_LEN );
154188 }
155189
156- Builder (final int maxNestingDepth , final int maxNumLen , final int maxStringLen ) {
190+ Builder (final int maxNestingDepth , final int maxNumLen , final int maxStringLen , final int maxNameLen ) {
157191 this .maxNestingDepth = maxNestingDepth ;
158192 this .maxNumLen = maxNumLen ;
159193 this .maxStringLen = maxStringLen ;
194+ this .maxNameLen = maxNameLen ;
160195 }
161196
162197 Builder (StreamReadConstraints src ) {
163198 maxNestingDepth = src ._maxNestingDepth ;
164199 maxNumLen = src ._maxNumLen ;
165200 maxStringLen = src ._maxStringLen ;
201+ maxNameLen = src ._maxNameLen ;
166202 }
167203
168204 public StreamReadConstraints build () {
169- return new StreamReadConstraints (maxNestingDepth , maxNumLen , maxStringLen );
205+ return new StreamReadConstraints (maxNestingDepth , maxNumLen , maxStringLen , maxNameLen );
170206 }
171207 }
172208
@@ -176,10 +212,17 @@ public StreamReadConstraints build() {
176212 /**********************************************************************
177213 */
178214
215+ @ Deprecated // since 2.16
179216 protected StreamReadConstraints (final int maxNestingDepth , final int maxNumLen , final int maxStringLen ) {
217+ this (maxNestingDepth , maxNumLen , maxStringLen , DEFAULT_MAX_NAME_LEN );
218+ }
219+
220+ protected StreamReadConstraints (final int maxNestingDepth , final int maxNumLen ,
221+ final int maxStringLen , final int maxNameLen ) {
180222 _maxNestingDepth = maxNestingDepth ;
181223 _maxNumLen = maxNumLen ;
182224 _maxStringLen = maxStringLen ;
225+ _maxNameLen = maxNameLen ;
183226 }
184227
185228 public static Builder builder () {
@@ -238,6 +281,16 @@ public int getMaxStringLength() {
238281 return _maxStringLen ;
239282 }
240283
284+ /**
285+ * Accessor for maximum length of names to decode.
286+ * see {@link Builder#maxNameLength(int)} for details.
287+ *
288+ * @return Maximum allowed name length
289+ */
290+ public int getMaxNameLength () {
291+ return _maxNameLen ;
292+ }
293+
241294 /*
242295 /**********************************************************************
243296 /* Convenience methods for validation, document limits
@@ -334,6 +387,27 @@ public void validateStringLength(int length) throws StreamConstraintsException
334387 }
335388 }
336389
390+ /**
391+ * Convenience method that can be used to verify that a name
392+ * of specified length does not exceed maximum specific by this
393+ * constraints object: if it does, a
394+ * {@link StreamConstraintsException}
395+ * is thrown.
396+ *
397+ * @param length Length of name in input units
398+ *
399+ * @throws StreamConstraintsException If length exceeds maximum
400+ */
401+ public void validateNameLength (int length ) throws StreamConstraintsException
402+ {
403+ if (length > _maxNameLen ) {
404+ throw _constructException (
405+ "Name value length (%d) exceeds the maximum allowed (%d, from %s)" ,
406+ length , _maxNameLen ,
407+ _constrainRef ("getMaxNameLength" ));
408+ }
409+ }
410+
337411 /*
338412 /**********************************************************************
339413 /* Convenience methods for validation, other
0 commit comments