Headline
CVE-2022-21653: Use TreeMap in SimpleFacade to solve DoS vuln by kag0 · Pull Request #390 · typelevel/jawn
Jawn is an open source JSON parser. Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don’t override objectContext() are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. jawn-parser-1.3.1 fixes this issue and users are advised to upgrade. For users unable to upgrade override objectContext() to use a collision-safe collection.
I haven’t looked deep at the implementations for how Circe or Play do that wrapping. But I’d guess that they turn the java map into some non-map type (I vaguely remember play is a Seq of tuples or something?), or have expensive mutations (cloning the underlying mutable map each time), or do something like scala.collection.JavaConverters .toScala.toMap, which would convert to the default HAMT and expose the vuln (I think Circe does on mutation).
None of the above are ideal; for my use case at least. Users would find the map follows the contract, but wouldn’t perform as one would assume. So at the end of the day we need a safe immutable map and TreeMap is the only one I’m aware of.
Is there a way to more quickly build a different structure and then convert to TreeMap?
Unfortunately there’s no immutable CollisionProofHashMap, so I think that leaves us in about the same situation as the java java.util.HashMap wrapped using JavaConverters.
I think the ideal solution would be an immutable CollisionProofHashMap in the standard library (and added to collections compat), but short of that TreeMap seems like what we’re left with.
Let me know if that all sounds correct