panic: runtime error: slice bounds out of range #219
Comments
|
@AllenX2018 Any new progress on repairing this issue ? |
|
FYI, this was assigned CVE-2020-35381. |
|
A fix seems to be: |
|
@d-hat can you submit a PR pls? |
Merged
|
Modified slightly to return an error instead of continue trying to index. Please correct any errors or poor style on my part, my golang expertise is approximately nil |
|
Amy chance this can get fixed soonish? Thanks. |
buger
added a commit
that referenced
this issue
Jan 8, 2021
Attempt to fix #219 and introduce a test. The only error that can easily be returned in this case is `KeyPathNotFoundError`, which is reasonable if you squint (a malformed key can not be found). Note I'm far from fluent in golang so this should be reviewed with some care 😄
|
Should be fixed now! |
|
Will there also be a new release incorporating this? Thanks! |
|
Just did v1.1.1 release 🚀 |
|
Thanks! |
naveensrinivasan
added a commit
to ossf/scorecard
that referenced
this issue
Sep 21, 2021
The github.com/buger/jsonparser has this vulnerability.
"vulns": [
{
"id": "GO-2021-0089",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Parsing malformed JSON which contain opening brackets, but not closing brackes,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
},
"aliases": [
"CVE-2020-10675"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
},
"references": [
{
"type": "FIX",
"url": "buger/jsonparser#192"
},
{
"type": "FIX",
"url": "buger/jsonparser@91ac968"
},
{
"type": "WEB",
"url": "buger/jsonparser#188"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
}
}
]
},
{
"id": "GO-2021-0057",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "1.1.1"
}
]
},
"aliases": [
"CVE-2020-35381"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml"
},
"references": [
{
"type": "FIX",
"url": "buger/jsonparser#221"
},
{
"type": "FIX",
"url": "buger/jsonparser@df3ea76"
},
{
"type": "WEB",
"url": "buger/jsonparser#219"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
}
}
]
}
]
}
naveensrinivasan
added a commit
to ossf/scorecard
that referenced
this issue
Sep 21, 2021
The github.com/buger/jsonparser has this vulnerability.
"vulns": [
{
"id": "GO-2021-0089",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Parsing malformed JSON which contain opening brackets, but not closing brackes,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
},
"aliases": [
"CVE-2020-10675"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
},
"references": [
{
"type": "FIX",
"url": "buger/jsonparser#192"
},
{
"type": "FIX",
"url": "buger/jsonparser@91ac968"
},
{
"type": "WEB",
"url": "buger/jsonparser#188"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
}
}
]
},
{
"id": "GO-2021-0057",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "1.1.1"
}
]
},
"aliases": [
"CVE-2020-35381"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml"
},
"references": [
{
"type": "FIX",
"url": "buger/jsonparser#221"
},
{
"type": "FIX",
"url": "buger/jsonparser@df3ea76"
},
{
"type": "WEB",
"url": "buger/jsonparser#219"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
}
}
]
}
]
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
payload:
func main() {
testJson :=
[s, _ := jsonparser.GetString([]byte(testJson), testJson)
fmt.Println(s)
}
panic: runtime error: slice bounds out of range [1:0]
goroutine 1 [running]:
github.com/buger/jsonparser.searchKeys(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0xc00003a000)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:311 +0xfdb
github.com/buger/jsonparser.internalGet(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0xc0000d7d38, 0x65e120, 0x56afb0, 0xc0000d7dc0, ...)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:891 +0x3a6
github.com/buger/jsonparser.Get(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0xc0000d7e87, 0x0, 0xc0000d7e14, 0xc0000d7e87, ...)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:885 +0x90
github.com/buger/jsonparser.GetString(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0x9, 0x9, 0x0, 0x0)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:1122 +0x9e
The text was updated successfully, but these errors were encountered: