Commits on Mar 26, 2024

1. Disallow nested objects and arrays as keys in objects …

   Port of stleary/JSON-java#772
   to partially remediate
   https://www.cve.org/CVERecord?id=CVE-2023-5072 , where
   nested keys can allow relatively small inputs to
   cause OOM errors through recursion.
   
   Test by:
   - package & import into alpha locally
   - confirm a suite of unit tests depending on JSONObjects
   passes
   - verify that the following CVE Proof-of-concept fails
   with an 'unexpected character' exception:
   https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464

   

   claireagordon committed Mar 26, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for bf3a2ff
   • Browse repository at this point

   Copy the full SHA

   bf3a2ff View commit details

   Browse the repository at this point in the history

2. JSON parsing should detect embedded \0 values …

   See:
   stleary/JSON-java#758
   stleary/JSON-java#759
   
   Port pull #759 from stleary/JSON-java to help
   address OOM errors described in
   https://www.cve.org/CVERecord?id=CVE-2023-5072
   
   To support the JSONTokener.end() function this
   relies on, port over the 'eof' flag & set in
   all locations it's used in the latest JSON-java.
   
   Use the String next(int n) implementation from
   more recent java versions so we can properly check
   end() while reading a group of characters.
   
   Test by:
   - importing into alpha locally & running all tests
   that depend on //thirdparty:json
   - verifying that Snyk's proof-of-concept does
   not cause OOMs:
   https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464

   

   claireagordon committed Mar 26, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 4fa27f1
   • Browse repository at this point

   Copy the full SHA

   4fa27f1 View commit details

   Browse the repository at this point in the history