Denial Of Service (DOS) Vulnerability found in library #230
Comments
|
This is not a Denial Of Service (DOS) attack vector. It's just a normal exception that can be caught by the application. |
|
Ah, the trustworthyness of a website that hides the relevant info behind a paywall... |
|
Another counter argument: The check introduced in the commit mentioned would only prevent the DoS attack if the flag would be set to true, which defaults to false. So either a proper fix would have to set the flag to true in addition to this check, or remove making this optional entirely. Simply adding a check that is disabled by default does not count as a proper fix from my perspective I'm happy to discuss details once there is even a theoretical code presented that leads to misbehaving in the library. |
|
I found this: https://stackoverflow.com/questions/69936667/how-do-i-get-details-of-a-veracode-vulnerability-report I believe it isn't worthwhile to bother contacting Veracode for details, they are entirely publishing bogus security reports according to public opinion. |
|
Thanks for your responses. I totally understand the lack of actual information on the report is frustrating. Like the other reporter, I'm just reporting what we've found. And I also agree the fix appears to be a setting that may not be set anyway but the security scans are not the brightest. :/ You do have a PR out that looks like it resolves the bStrictObjectTypeChecking setting. if that was merged and a new patch released it may solve the SCA report? |
|
Unfortunately I believe that PR is not doing the right thing. And the claim in these reports about DoS potential is totally out of proportion in relation to this libraries abilities. It's true that you can pass NULL values into an array that claims to only allow certain objects, and there even is a test case for this, validating this happens. So one can hardly claim this is a bug - it is a feature, although an unexpected one. I have yet to find out what the intention should be, and it will most likely be fixed in a major version release. |
|
The problems in PocketMine had were because of unexpected behaviour which arose due to JsonMapper attempting to hydrate objects using flat types. Since JsonMapper performs no checks on the __construct or its inputs during hydration, it can silently lead to unexpected behaviour, or other types of exceptions (aside from Maintainers previously said they were ok with this behaviour, as JsonMapper isn't intended for data validation; IMHO this defeats half the point of using the library, but as long as you're aware of this, you won't have crash issues like PocketMine did. I made the assumption that JsonMapper would fully validate the data, but it does not. The referenced commit disables object hydration for arrays. Since PM always uses In addition, PM isn't a web application, everything is handled within a single process, so issues that would just crash one web request will take down a whole PM server due to the architecture, hence the higher vulnerability rating in PocketMine-MP. A tool can be used several ways :) |
Veracode has flagged the following high security issue for your package:
netresearch/jsonmapper and pocketmine/netresearch-jsonmapper is vulnerable to Denial Of Service. The vulnerability is due to there is no proper validation when constructing objects from scalar types. This flaw potentially leads to a server crash caused by malformed JSON.
veracode vulnerability
Pocketmine have already implemented a fix on their fork:
#L461-L466 and the commit here: 083d034ab16c4f7a8466c89e5c18b222f51adb74
Would it be possible to get the same fix in the next patch release?
The text was updated successfully, but these errors were encountered: