Add configurable limit for the maximum length of Object property names to parse before failing (default max: 50,000 chars) · Issue #1047 · FasterXML/jackson-core (original) (raw)

(note: part of #637)

Similar to token-length limits for Numbers (see #815) and Strings (see #863), we need an option to limit maximum Object Property name length to something reasonable, as otherwise name tokenization can become performance issue for very long names.

As with other limits, units would related to underlying input units -- bytes or chars depending on input source.

We need to decide on reasonable defaults to use: my initial suggestion is to limit to 64k but this probably needs to correlated to:

1. Performance-characteristics (can we find a pivot point where length increase has super-linear negative effect?)
2. Longest legit (non-malicious) property names used in the wild.

That is: figure out highest limit that works for DoS aspect, balanced with lowest limit that would be unlikely to break existing legit usage.