diff --git a/core/src/main/java/feign/template/Expressions.java b/core/src/main/java/feign/template/Expressions.java index 644a24a3b..ecd1b99ee 100644 --- a/core/src/main/java/feign/template/Expressions.java +++ b/core/src/main/java/feign/template/Expressions.java @@ -22,6 +22,8 @@ public final class Expressions { + private static final int MAX_EXPRESSION_LENGTH = 10000; + private static final String PATH_STYLE_OPERATOR = ";"; /** * Literals may be present and preceded the expression. @@ -68,6 +70,12 @@ public static Expression create(final String value) { throw new IllegalArgumentException("an expression is required."); } + /* Check if the expression is too long */ + if (expression.length() > MAX_EXPRESSION_LENGTH) { + throw new IllegalArgumentException( + "expression is too long. Max length: " + MAX_EXPRESSION_LENGTH); + } + /* create a new regular expression matcher for the expression */ String variableName = null; String variablePattern = null; diff --git a/core/src/test/java/feign/template/ExpressionsTest.java b/core/src/test/java/feign/template/ExpressionsTest.java index dd2c4cbb9..051004c42 100644 --- a/core/src/test/java/feign/template/ExpressionsTest.java +++ b/core/src/test/java/feign/template/ExpressionsTest.java @@ -16,6 +16,7 @@ import org.junit.jupiter.api.Test; import java.util.Collections; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatObject; public class ExpressionsTest { @@ -27,6 +28,17 @@ public void simpleExpression() { assertThat(expanded).isEqualToIgnoringCase("foo=bar"); } + @Test + public void malformedBodyTemplate() { + String bodyTemplate = "{" + "a".repeat(65536) + "}"; + + try { + BodyTemplate template = BodyTemplate.create(bodyTemplate); + } catch (Throwable e) { + assertThatObject(e).isNotInstanceOf(StackOverflowError.class); + } + } + @Test public void androidCompatibility() { // To match close brace on Android, it must be escaped due to the simpler ICU regex engine