CVE-2020-36518: Optimize `UntypedObjectDeserializer` wrt recursion · Issue #2816 · FasterXML/jackson-databind

Current implementation UntypedObjectDeserializer is relatively expensive for deeply nested Object and Array values as it uses recursion even for “vanilla” case (one where there are no custom List/array or Map deserializers).
In practical terms it is possible to exhaust typical modest JVM heap sizes with documents having about ten thousand levels of nestings.

Similar issue was already solved wrt JsonNode (see #3397), included in 2.13.0; this might show a way to approach this problem: by replacing simple recursion with iteration, either completely or at some inner levels.

Also note that it may ultimately be necessary to have lower-level constraints for streaming parser too, see: FasterXML/jackson-core#637

Ideally it should be:

1. Possible to handle at least tens of thousands of levels of nesting (100k should be processable with 256M heap, say)
2. Have streaming level limits that – by default – block documents with more than limit we deem safe (less than 100k – perhaps 10k or something, to be determined).

This issue is specifically about (1) as (2) is about jackson-core.