Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-5072: disallow nested object/array keys & detect embedded \0 #1

Merged
merged 2 commits into from
Apr 1, 2024

Commits on Mar 26, 2024

  1. Disallow nested objects and arrays as keys in objects

    Port of stleary/JSON-java#772
    to partially remediate
    https://www.cve.org/CVERecord?id=CVE-2023-5072 , where
    nested keys can allow relatively small inputs to
    cause OOM errors through recursion.
    
    Test by:
    - package & import into alpha locally
    - confirm a suite of unit tests depending on JSONObjects
    passes
    - verify that the following CVE Proof-of-concept fails
    with an 'unexpected character' exception:
    https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464
    claireagordon committed Mar 26, 2024
    Configuration menu
    Copy the full SHA
    bf3a2ff View commit details
    Browse the repository at this point in the history
  2. JSON parsing should detect embedded \0 values

    See:
    stleary/JSON-java#758
    stleary/JSON-java#759
    
    Port pull #759 from stleary/JSON-java to help
    address OOM errors described in
    https://www.cve.org/CVERecord?id=CVE-2023-5072
    
    To support the JSONTokener.end() function this
    relies on, port over the 'eof' flag & set in
    all locations it's used in the latest JSON-java.
    
    Use the String next(int n) implementation from
    more recent java versions so we can properly check
    end() while reading a group of characters.
    
    Test by:
    - importing into alpha locally & running all tests
    that depend on //thirdparty:json
    - verifying that Snyk's proof-of-concept does
    not cause OOMs:
    https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464
    claireagordon committed Mar 26, 2024
    Configuration menu
    Copy the full SHA
    4fa27f1 View commit details
    Browse the repository at this point in the history