fix CVE-2024-57699 for predefined parsers

ccudennec-otto · ccudennec-otto · commit 2510b41729b1 · 2025-02-07T19:39:51.000+01:00
diff --git a/README.md b/README.md
@@ -19,6 +19,10 @@ So I do not use my json-smart anymore. I had fun with this project. If you want
 
 # Changelog
 
+## *V 2.5.2* (2025-02-07)
+
+* Fix CVE-2024-57699 for predefined parsers
+
 ### *V 2.5.1* (2024-03-14)
 
 * Bump all dependencies.
@@ -122,4 +126,4 @@ So I do not use my json-smart anymore. I had fun with this project. If you want
 
 ### *V 2.0-RC1* (2012-02-18)
   * speed improvement in POJO manipulation
-  * add JSONStyle.LT_COMPRESS predefined generate strct json, but ignoring / escapement.
+  * add JSONStyle.LT_COMPRESS predefined generate strct json, but ignoring / escapement.
diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParser.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParser.java
@@ -41,55 +41,55 @@ public class JSONParser {
 	public final static int IGNORE_CONTROL_CHAR = 8;
 	/**
 	 * Use int datatype to store number when it's possible.
-	 * 
+	 *
 	 * @since 1.0.7
 	 */
 	public final static int USE_INTEGER_STORAGE = 16;
 	/**
 	 * Throws exception on excessive 0 leading in digits
-	 * 
+	 *
 	 * @since 1.0.7
 	 */
 	public final static int ACCEPT_LEADING_ZERO = 32;
 	/**
 	 * Throws exception on useless comma in object and array
-	 * 
+	 *
 	 * @since 1.0.8
 	 */
 	public final static int ACCEPT_USELESS_COMMA = 64;
 	/**
 	 * Allow Json-smart to use Double or BigDecimal to store floating point
 	 * value
-	 * 
+	 *
 	 * You may need to disable HI_PRECISION_FLOAT feature on 32bit to improve
 	 * parsing performances.
-	 * 
+	 *
 	 * @since 1.0.9
 	 */
 	public final static int USE_HI_PRECISION_FLOAT = 128;
 	/**
 	 * If enabled json-smart will throws exception if datas are present after
 	 * the end of the Json data.
-	 * 
+	 *
 	 * @since 1.0.9-2
 	 */
 	public final static int ACCEPT_TAILLING_DATA = 256;
 	/**
 	 * smart mode, fastest parsing mode. accept lots of non standard json syntax
-	 * 
+	 *
 	 * @since 2.0.1
 	 */
 	public final static int ACCEPT_TAILLING_SPACE = 512;
 	/**
 	 * smart mode, fastest parsing mode. accept lots of non standard json syntax
-	 * 
+	 *
 	 * @since 2.2.2
 	 */
 	public final static int REJECT_127_CHAR = 1024;
 
 	/**
 	 * Use double if possible for big digits, if no precision lost is observed
-	 * 
+	 *
 	 * @since 2.4
 	 */
 	public final static int BIG_DIGIT_UNRESTRICTED = 2048;
@@ -100,36 +100,36 @@ public class JSONParser {
 	 * @since 2.5
 	 */
 	public static final int LIMIT_JSON_DEPTH = 4096;
-	
-	
+
+
 	/**
 	 * smart mode, fastest parsing mode. accept lots of non standard json syntax
-	 * 
+	 *
 	 * @since 1.0.6
 	 */
 	public final static int MODE_PERMISSIVE = -1;
 	/**
 	 * strict RFC4627 mode.
-	 * 
+	 *
 	 * slower than PERMISSIVE MODE.
-	 * 
+	 *
 	 * @since 1.0.6
 	 */
-	public final static int MODE_RFC4627 = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_SPACE;
+	public final static int MODE_RFC4627 = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_SPACE | LIMIT_JSON_DEPTH;
 	/**
 	 * Parse Object like json-simple
-	 * 
+	 *
 	 * Best for an iso-bug json-simple API port.
-	 * 
+	 *
 	 * @since 1.0.7
 	 */
-	public final static int MODE_JSON_SIMPLE = ACCEPT_USELESS_COMMA | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_DATA | ACCEPT_TAILLING_SPACE | REJECT_127_CHAR | BIG_DIGIT_UNRESTRICTED;
+	public final static int MODE_JSON_SIMPLE = ACCEPT_USELESS_COMMA | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_DATA | ACCEPT_TAILLING_SPACE | REJECT_127_CHAR | BIG_DIGIT_UNRESTRICTED | LIMIT_JSON_DEPTH;
 	/**
 	 * Strictest parsing mode
-	 * 
+	 *
 	 * @since 2.0.1
 	 */
-	public final static int MODE_STRICTEST = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | REJECT_127_CHAR;
+	public final static int MODE_STRICTEST = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | REJECT_127_CHAR | LIMIT_JSON_DEPTH;
 	/**
 	 * Default json-smart processing mode
 	 */
@@ -154,7 +154,7 @@ private JSONParserReader getPStream() {
 
 	/**
 	 * cached constructor
-	 * 
+	 *
 	 * @return instance of JSONParserInputStream
 	 */
 	private JSONParserInputStream getPBinStream() {
@@ -165,7 +165,7 @@ private JSONParserInputStream getPBinStream() {
 
 	/**
 	 * cached constructor
-	 * 
+	 *
 	 * @return instance of JSONParserString
 	 */
 	private JSONParserString getPString() {
@@ -176,7 +176,7 @@ private JSONParserString getPString() {
 
 	/**
 	 * cached constructor
-	 * 
+	 *
 	 * @return instance of JSONParserByteArray
 	 */
 	private JSONParserByteArray getPBytes() {
@@ -223,7 +223,7 @@ public <T> T parse(byte[] in, Class<T> mapTo) throws ParseException {
 	/**
 	 * use to return Primitive Type, or String, Or JsonObject or JsonArray
 	 * generated by a ContainerFactory
-	 * @throws UnsupportedEncodingException 
+	 * @throws UnsupportedEncodingException
 	 */
 	public Object parse(InputStream in) throws ParseException, UnsupportedEncodingException {
 		return getPBinStream().parse(in);
diff --git a/json-smart/src/test/java/net/minidev/json/test/TestCVE202457699.java b/json-smart/src/test/java/net/minidev/json/test/TestCVE202457699.java
@@ -0,0 +1,62 @@
+package net.minidev.json.test;
+
+import net.minidev.json.parser.JSONParser;
+import net.minidev.json.parser.ParseException;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class TestCVE202457699 {
+
+    @Test
+    public void jsonSimpleParserShouldRestrictDepth() {
+        // Create a Malicious JSON String
+        StringBuilder s = createMaliciousString();
+        JSONParser p = new JSONParser(JSONParser.MODE_JSON_SIMPLE);
+        assertThrows(ParseException.class,
+                () -> p.parse(s.toString()),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void strictestParserShouldRestrictDepth() {
+        // Create a Malicious JSON String
+        StringBuilder s = createMaliciousString();
+        JSONParser p = new JSONParser(JSONParser.MODE_STRICTEST);
+        assertThrows(ParseException.class,
+                () -> p.parse(s.toString()),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void rfc4627ParserShouldRestrictDepth() {
+        // Create a Malicious JSON String
+        StringBuilder s = createMaliciousString();
+        JSONParser p = new JSONParser(JSONParser.MODE_RFC4627);
+        assertThrows(ParseException.class,
+                () -> p.parse(s.toString()),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void permissiveParserShouldRestrictDepth() {
+        // Create a Malicious JSON String
+        StringBuilder s = createMaliciousString();
+        JSONParser p = new JSONParser(JSONParser.MODE_PERMISSIVE);
+        assertThrows(ParseException.class,
+                () -> p.parse(s.toString()),
+                "Malicious payload, having non natural depths");
+    }
+
+    private static StringBuilder createMaliciousString() {
+        StringBuilder s = new StringBuilder();
+        for (int i = 0; i < 10000 ; i++) {
+            s.append("{\"a\":");
+        }
+        s.append("1");
+        for (int i = 0; i < 10000 ; i++) {
+            s.append("}");
+        }
+        return s;
+    }
+}
