-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logic to exclude object keys that are themselves objects is imperfect #771
Comments
@eamonnmcmanus Thanks for bringing this up, however, I am not convinced yet this is a bug.
You mentioned the current code allows potential DOS attacks. Can you explain how that would work? |
I'm reluctant to share precise exploit details here, but I have sent them privately. |
OK, after discussion with @stleary I'm sharing the details here. The bug that allows an array-of-object as a key can be exploited recursively:
Each level of recursion doubles the number of backslashes, so with only a couple of hundred characters an attacker can provoke an I dare say an attacker can also provoke a #660 already addressed problems like this to some extent. It adds both a catch for |
Now convinced there is a bug in how missing quotes are handled. How should this text be parsed? 20230618 release: #772 fix: I think the parser should terminate implicit strings by a colon for JSONObject,
Post here if anyone has a different take on how the parser should work. |
This makes the most sense to me |
It's certainly possible to introduce a clearer rule for unquoted keys. Those aren't standard JSON, but we can imagine that if people use them then they are expecting something like JavaScript semantics. Scanning to the first
A similar rule for unquoted values in arrays (scanning to the first In both cases this can change the parse of some existing strings. For example To be honest, I'm not sure that this would be solving a problem that anyone has. I don't think anyone has JSON strings like this that they expect to be able to parse with the results above, or to be able to parse at all. But the new rules are at least simpler to explain. I will look into what's involved in making another PR implementing these rules. |
I've prototyped some of the above, but the more I think about it the less I like it. Some JSON implementations do indeed go beyond the spec to allow object keys that are not string literals. But I think that is to be more like JavaScript (which of course is the JS of JSON). JavaScript does allow "object literals" like |
Agreed that if the user wants a key, value, or list element to use chars that might be interpreted as JSON control chars like braces, brackets, commas, etc., then they need to use double quotes. So for example |
Did you have something in mind? The main alternative I see to just bailing on |
It seems to me that you, @johnjaylward, and I have about the same idea, maybe differing in details. Your approach makes sense, please proceed, and let's see how it turns out. |
OK, well I did what I said in my last comment and updated #772 so it just skips past the part of |
JSONObject
contains this logic to prevent a key in a JSON object from being another JSON object or an array:However this doesn't cover all cases. For example,
JSONObject
currently accepts this string:which it interprets as an object with two keys, one that is the string
a
and one that is the string[{"b":2}]
.Strict JSON, of course, only accepts string literals as keys in objects. JSON-java is more liberal, but it does balk at nested objects since the fix for #654. The example above suggests that that fix was incomplete. I think it would make sense to disallow nested objects or arrays as keys always. They're not valid JSON and it's unlikely that anyone is relying on them for legitimate purposes. Meanwhile they can straightforwardly be used for DoS attacks, similar to #654 and #758.
I have a proposed fix which I will send shortly.
The text was updated successfully, but these errors were encountered: