-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack overflow error caused by gson serialization Map #2414
Comments
Thanks for the report! In general though, please report security vulnerabilities as described in https://github.com/google/gson/security; though in this case I guess this might not be that severe, see below.
Could you please explain this a bit more in detail? Your proof of concept shows Java code which triggers this issue, not a JSON string, so if an attacker can already execute arbitrary Java code, they could instead directly run OS commands. Either way, personally I think it would be good to improve this handling of deeply nested values (collections, maps, objects) either way, also if possible to make debugging easier, because users sometimes by accident create recursive data structures, and debugging the (same applies to #2417 as well) This relates to #530 Edit: But in general such recursive values as shown in your sample code will cause problems, not only for Gson. For example calling |
Or maybe the simplest solution would be to introduce a maximum nesting depth for |
@Marcono1234 this user (PoppingSnack) has been irresponsibly raising issues across a large number of Java JSON tools (including Jackson, a lib that I work on). Most or all of these tools having documented approaches on how to report issues responsibly and this user has ignored them all. If there is any attempt by this user to claim credit and cash rewards for disclosing vulnerabilities, I hope that the GSON team will not give the user credit due to the irresponsible disclosure. |
If you make a recursive data structure and try to serialize it, you get a StackOverflowError. As @Marcono1234 points out, you'll also get a StackOverflowError if you call |
Stack overflow error caused by gson serialization Map
Description
gson before v2.10.1 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
PoC
Rectification Solution
Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((2d01d6a20f39881c692977564c1ea591d9f39027))
References
The text was updated successfully, but these errors were encountered: