Friday , May 7 2021

lovasoa / bad_json_parsers, Hacker News



Build Status

Documenting how JSON parsers of several programming languages ​​deal with deeply nested structures.


Many JSON parsers (and many parsers in general) userecursionto parse nested structures. This is very convenient while programming the parser, but it has consequences on what the parser can parse: indeed, the size of thecall stackis usually limited to a value several orders of magnitude smaller than the available RAM, and this implies that a program with too many levels of recursion will fail.

The two most recent JSON standardsRFC 8259andRFC 7159both say “An implementation may set limits on the maximum depth of nesting.” However, theECMA – 404specification doesn’t contain any limit on how deeply nested JSON structures can be.

This means that there is not a defined level of nesting which is correct or incorrect with regard to the JSON specification, and JSON parsers may differ when parsing nested structures.

This repository contains tools to measure the nesting limits of JSON parsers of different languages.

How to use

This repository contains a script calledtest_parser.shthat takes a JSON parser and usesbinary searchto find the smallest JSON structure it fails to parse and print its nesting level.

The json parser must be a program that reads JSON on its standard input, and exits with a status of 0 if it managed to parse it and any other status if an error occurred.

How it works

test_parser.shconstructs json structures composed uniquely of nested arrays, and gives them to the program it tests. For instance, for a depth of 3, it builds the following json:[[[]]]. This allows to create a structure of only2nbytes that hasnnesting levels. It usesbinary searchto find the smallest structure for which the program fails.


On my machine (Ubuntu Linux 4. 10 .0 – 35 – generic SMP x 86 _ 64 with 8Gb RAM, 8.4 MB maximum stack size), I found the following results, sorted from least nesting to most nesting:








(C )




language json library nesting level file size notes
json bytes
serde_json bytes
json_decode bytes maximum depth is configurable
JSON :: PP bytes
json 2.0 KB without sys.setrecursionlimit
Jansson 4.0 KB
**************************************** (Gson) **************************************************************************************************************************** .3 KB
javascript ******************** (JSON.parse) **************************************************************************************************************************** .4 KB
JAVA – JACKSON Jackson ************************************************************************************************************************** (KB)
****************************************** (nlohmann :: json) .6 KB segfault
json *********************************************************************************************** (KB) w /- d: release
******************** (encoding / json) 5.0 MiB goroutine stack exceeds 1000000000 – byte limit
Ruby ******************************************** (OJ)
********************************************* (Aeson) available RAM is the only limit


I tried to test the most popular json library of each language. If you want to add a new language or a new library, feel free to open a pull request.

All the parameters were left to their default values. In particular, the result for PHP is particular:json_decode (accepts a) *************************** (depth) parameter to configure the maximum depth of the object to be parsed.


Brave Browser
Read More

About admin

Leave a Reply

Your email address will not be published. Required fields are marked *