Closed ZanderHuang closed 9 months ago
Thank you for reporting this issue: sounds like sub-optimal handling.
I am not sure I see DoS aspect itself as exceptions are the mechanism to use for many kinds of invalid data, but in this case handling should produce package-specified exception, not accidental NPE.
I added a failing unit test for this one, but I do think actual fix needs to go in ion-java
; Jackson cannot prevent it from being thrown and so any performance problems are already incurred even if caught by IonParser
-- and adding NPE catching in there just seems incorrect to me.
@mcliedtke @jobarr-amzn do you know what'd be a good way to report this to streaming Ion codec?
Test is UncaughtException303Test
and uses a small broken Ion doc from under ion/src/test/resources//data/issue-303.ion
to trigger NPE.
I'm taking a look- will open an issue in ion-java
as necessary.
Hi @jobarr-amzn! I assume you haven't had a chance to look into this but thought I'd ping just in case.
Description
This vulnerability is of Uncaught Exception for java.lang.NullPointerException in
com.fasterxml.jackson.dataformat, jackson-dataformat-ion
(2.13.0, the latest version) withcom.amazon.ion, ion-java
(1.8.3, the latest version). Specifically, it fails to check the runtime exceptionjava.lang.NullPointerException
in functioncom.fasterxml.jackson.dataformat.ion.IonParser.nextToken()
( IonParser.java: 506 ).The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).
The vulnerable code:
The crash stack:
Proof of Concept
Fix suggestion
Wrap this kind of exception as a type of exception the library provided, e.g. IonException. Maybe the fix should not only in jackson but also in its dependent ion-java package.
Impact
The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).