search

stleary / JSON-java

A reference implementation of a JSON package in Java.
http://stleary.github.io/JSON-java/index.html
Other
4.54k stars 2.56k forks source link

A OOM security issue was found in JSON-java #834

Open Alex111998 opened 12 months ago

Alex111998 commented 12 months ago

When I test the latest version(20231013) of JSON-java by CIFuzz,a OOM security issue was found, it caused when put a big number in JSONArray, may cause denial of service issues in applications via the follow code:

new org.json.JSONArray().put(1829517625, 1.0719845412539998E291);

image

johnjaylward commented 12 months ago

This is expected behavior. Don't do that.

Madjosz commented 9 months ago

JSON does not support the concept of "sparse arrays" as you would need an index => value mapping which effectively is a JSONObject then. You have to think about how your created object would be stringified: It would be [,,,(1829517624 commas in total),,, 1.0719845412539998E291] and you could already avoid parsing this. On the other hand your example can only be created directly from code so the 'security issue' can only be injected by the programmer deliberately and can be migitated by checks for the index to be in a sane range.