Optimize UntypedObjectDeserializer wrt recursion [CVE-2020-36518]
#2816
Comments
|
Looks like nesting of about 2000 works, 3000 fails, with default settings for both Arrays and Objects. |
|
Tagging as "performance" (since resource consumption of call stack causes the exception). Also added similar test for |
|
FWTW, similar issues does NOT affect Could start with |
|
@cowtowncoder , could you please clarify if the same fix is planned to be backported to the versions |
|
EDIT: fix actually backported, see initial Description (now Edited as well) for details. @meier-th Very unlikely that I would try to backport this to anything prior to 2.14.0. The new implementation probably has non-trivial chance of regression and this functionality is widely used. Note that no implementation yet exists, but I fully intend to work on this to try to get it done for 2.14.0 (or someone else could beat me to it). |
|
@meier-th I'm sure that the same issue existing in |
|
Oh fucking great. Someone decided to file an CVE for this one. Surely teaches me to file issues on things I want to work on -- and then some Very Nice Person going to file an CVE to freak out everybody. |
|
I recommend that you simply throw some error if the nesting is to deep to cope with. You could improve the nesting depth later on, but you (and we users) will get rid of this annoying cve. |
…ckson:jackson-bom to 2.12.6.20220326 see FasterXML/jackson-databind#2816
…ckson:jackson-bom to 2.12.6.20220326 (#966) see FasterXML/jackson-databind#2816
…E-2020-36518) (FasterXML#3416) (cherry picked from commit fcfc499)
EDIT: related to to CVE-2020-36518 (see https://nvd.nist.gov/vuln/detail/CVE-2020-36518)
EDIT: Fix included in
jackson-bomversion2.13.2.20220328jackson-bomversion2.12.6.1.20220326EDIT: included as one of Snyk's "top-10 vulns of 2022" CVEs -- see https://go.snyk.io/snyk-top-10-open-source-vulnerabilities-dwn-typ.html
Current implementation
UntypedObjectDeserializeris relatively expensive for deeply nested Object and Array values as it uses recursion even for "vanilla" case (one where there are no customList/array orMapdeserializers).In practical terms it is possible to exhaust typical modest JVM memory with documents having about ten thousand levels of nestings, due to size of call stack from recursive calls.
NOTE: specifically this ONLY APPLIES if the target type is "untyped" or generic
Collection<Object>/Map<String, Object>-- it DOES NOT APPLY to cases where target is POJO (except if POJO itself has "untyped" property or properties).Similar issue was already solved wrt
JsonNode(see #3397), included in 2.13.0; this might show a way to approach this problem: by replacing simple recursion with iteration, either completely or at some inner levels.Also note that it may ultimately be necessary to have lower-level constraints for streaming parser too, see: FasterXML/jackson-core#637
Ideally it should be:
This issue is specifically about (1) as (2) is about
jackson-core.The text was updated successfully, but these errors were encountered: