We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The depth CVE fix broke the whole JSON parser...
in the protected <T> T readObject(JsonReaderI<T> mapper) you count up every time. But you only count down at case '}': but there is another
protected <T> T readObject(JsonReaderI<T> mapper)
case '}':
read(); /* unstack */ return mapper.convert(current);
later, without counting down. This makes it, so you can only read 400 objects. Not a depth of 400.
This of course breaks parsing every JSON with more than 400 objects..
Easy test to prove Problem:
JsonPath jsonPath = JsonPath.compile("$"); jsonPath.read("["+ "{\"foo\":\"bar\"},".repeat(400) + "{\"foo\":\"bar\"}]");
Throws:
net.minidev.json.parser.ParseException: Malicious payload, having non natural depths, parsing stoped on { at position 5587.
The text was updated successfully, but these errors were encountered:
thanks for your report. I'll dive it this weekend
Sorry, something went wrong.
i added #133 to fix this issue
I think #133 can close this issue. Feel free to reopen it.
No branches or pull requests
The depth CVE fix broke the whole JSON parser...
in the
protected <T> T readObject(JsonReaderI<T> mapper)you count up every time. But you only count down atcase '}':but there is another
later, without counting down. This makes it, so you can only read 400 objects. Not a depth of 400.
This of course breaks parsing every JSON with more than 400 objects..
Easy test to prove Problem:
Throws:
The text was updated successfully, but these errors were encountered: