JSON parsing should detect embedded \0 values
#759
Merged
+12
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A better solution might be to use -1 instead 0 to represent EOF everywhere, which of course means changing `char` variables to `int`. The solution here is enough to solve the immediate problem, though. Fixes stleary#758.
johnjaylward
reviewed
Aug 1, 2023
johnjaylward
approved these changes
Aug 1, 2023
|
What problem does this code solve? Risks Changes to the API? Will this require a new release? Should the documentation be updated? Does it break the unit tests? Was any code refactored in this commit? Review status Starting 3-day comment window. |
stleary
changed the title
\0 when parsing JSON objects.\0 values
There probably is going to be a CVE for the DoS issue, so you might want to plan for a release that includes the fix. |
stleary
approved these changes
Aug 5, 2023
|
No worries, a new version can be released if/when the CVE is added |
johnjaylward
pushed a commit
to johnjaylward/JSON-java
that referenced
this pull request
Oct 17, 2023
JSON parsing should detect embedded `\0` values
claireagordon
added a commit
to yext/JSON-java
that referenced
this pull request
Mar 26, 2024
See: stleary/JSON-java#758 stleary/JSON-java#759 Port pull #759 from stleary/JSON-java to help address OOM errors described in https://www.cve.org/CVERecord?id=CVE-2023-5072 To support the JSONTokener.end() function this relies on, port over the 'eof' flag & set in all locations it's used in the latest JSON-java. Use the String next(int n) implementation from more recent java versions so we can properly check end() while reading a group of characters. Test by: - importing into alpha locally & running all tests that depend on //thirdparty:json - verifying that Snyk's proof-of-concept does not cause OOMs: https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464
This was referenced Jun 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A better solution might be to use -1 instead 0 to represent EOF everywhere, which of course means changing
charvariables toint. The solution here is enough to solve the immediate problem, though.Fixes #758.