Correctly apply JSON recursion limit when parsing an Any-of-Any.

protobuf-github-bot · karenwuz · commit 94c7f73824f6 · 2026-01-08T14:57:25.000Z
Without this check, an any-of-any-of-any-of-... wouldn't apply the recursion check as intended and cound be arbitrarily deep. Fixes #25071 PiperOrigin-RevId: 850485466
diff --git a/java/util/src/main/java/com/google/protobuf/util/JsonFormat.java b/java/util/src/main/java/com/google/protobuf/util/JsonFormat.java
@@ -1532,6 +1532,11 @@ private void mergeAny(JsonElement json, Message.Builder builder)
       Message.Builder contentBuilder =
           DynamicMessage.getDefaultInstance(contentType).newBuilderForType();
       WellKnownTypeParser specialParser = wellKnownTypeParsers.get(contentType.getFullName());
+
+      if (currentDepth >= recursionLimit) {
+        throw new InvalidProtocolBufferException("Hit recursion limit.");
+      }
+      ++currentDepth;
       if (specialParser != null) {
         JsonElement value = object.get("value");
         if (value != null) {
@@ -1540,6 +1545,7 @@ private void mergeAny(JsonElement json, Message.Builder builder)
       } else {
         mergeMessage(json, contentBuilder, true);
       }
+      --currentDepth;
       builder.setField(valueField, contentBuilder.build().toByteString());
     }
 
diff --git a/java/util/src/test/java/com/google/protobuf/util/JsonFormatTest.java b/java/util/src/test/java/com/google/protobuf/util/JsonFormatTest.java
@@ -1697,7 +1697,40 @@ public void testRecursionLimit() throws Exception {
       parser.merge(input, builder);
       assertWithMessage("Exception is expected.").fail();
     } catch (InvalidProtocolBufferException e) {
-      // Expected.
+      assertThat(e).hasMessageThat().contains("recursion");
+    }
+  }
+
+  @Test
+  public void testRecursionLimitAnyOfAny() throws Exception {
+    String input =
+        "{\n"
+            + "  \"@type\": \"type.googleapis.com/google.protobuf.Any\", \"value\": {\n"
+            + "    \"@type\": \"type.googleapis.com/google.protobuf.Any\", \"value\": {\n"
+            + "      \"@type\": \"type.googleapis.com/google.protobuf.Any\", \"value\": {\n"
+            + "        \"@type\": \"type.googleapis.com/google.protobuf.Any\", \"value\": {\n"
+            + "          \"@type\": \"type.googleapis.com/google.protobuf.Any\"}\n"
+            + "        }\n"
+            + "      }\n"
+            + "    }\n"
+            + "  }\n"
+            + "}\n";
+
+    JsonFormat.TypeRegistry registry =
+        JsonFormat.TypeRegistry.newBuilder().add(Any.getDescriptor()).build();
+
+    JsonFormat.Parser parser = JsonFormat.parser().usingTypeRegistry(registry);
+    Any.Builder builder = Any.newBuilder();
+    parser.merge(input, builder); // Successfully parses with no default recursion limit.
+    Any unused = builder.build();
+
+    parser = JsonFormat.parser().usingTypeRegistry(registry).usingRecursionLimit(3);
+    builder = Any.newBuilder();
+    try {
+      parser.merge(input, builder);
+      assertWithMessage("Exception is expected.").fail();
+    } catch (InvalidProtocolBufferException e) {
+      assertThat(e).hasMessageThat().contains("recursion");
     }
   }
 
