CVE-2023-5072: disallow nested object/array keys & detect embedded \0#1
Merged
claireagordon merged 2 commits intomainfrom Apr 1, 2024
Merged
CVE-2023-5072: disallow nested object/array keys & detect embedded \0#1claireagordon merged 2 commits intomainfrom
claireagordon merged 2 commits intomainfrom
Conversation
Port of stleary/JSON-java#772 to partially remediate https://www.cve.org/CVERecord?id=CVE-2023-5072 , where nested keys can allow relatively small inputs to cause OOM errors through recursion. Test by: - package & import into alpha locally - confirm a suite of unit tests depending on JSONObjects passes - verify that the following CVE Proof-of-concept fails with an 'unexpected character' exception: https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464
See: stleary/JSON-java#758 stleary/JSON-java#759 Port pull #759 from stleary/JSON-java to help address OOM errors described in https://www.cve.org/CVERecord?id=CVE-2023-5072 To support the JSONTokener.end() function this relies on, port over the 'eof' flag & set in all locations it's used in the latest JSON-java. Use the String next(int n) implementation from more recent java versions so we can properly check end() while reading a group of characters. Test by: - importing into alpha locally & running all tests that depend on //thirdparty:json - verifying that Snyk's proof-of-concept does not cause OOMs: https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Port stleary/JSON-java fixes for CVE-2023-5072 to mitigate recursion issues when creating JSONObjects.
getSimpleValuetokenizer method that does not support objects or arraysThe latter requires us to port over a more modern implementation of
JSONTokener.next(int n)(https://github.com/stleary/JSON-java/blob/master/src/main/java/org/json/JSONTokener.java#L248) so we can check individual characters instead of reading an n-character buffer all at once.Tested by:
//thirdparty:json. Confirm all test failures match the main branchSee also:
\0and EOF can lead to OutOfMemoryError stleary/JSON-java#758\0values stleary/JSON-java#759