Make Object and JsonElement deserialization iterative
#1912
Conversation
Often when Object and JsonElement are deserialized the format of the JSON data is unknown and it might come from an untrusted source. To avoid a StackOverflowError from maliciously crafted JSON, deserialize Object and JsonElement iteratively instead of recursively. Concept based on FasterXML/jackson-databind@51fd2fa But implementation is not based on it.
Marcono1234
force-pushed
the
marcono1234/iterative-deserialization
branch
from
851728d
to
539952e
Compare
|
@eamonnmcmanus, what do you think about these changes? They would probably fix #2109 and #2111. |
There was a problem hiding this comment.
Thanks! I think this is a great idea, and I appreciate your taking the trouble to make it work. The current business of catching StackOverflowError has always felt very wobbly to me.
I'm running this against Google's internal tests to check whether they show anything up.
My main comment is that we should probably still have some limit on the maximum depth. Otherwise we could still be exposing users to denial-of-service attacks. If every { causes a new LinkedTreeMap to be allocated then an input string with a million of them is probably going to allocate on the order of 30M. We can imagine that being enough to cause a server to fall over.
We could have a hardcoded limit on nesting, say 1000, or we could make that a parameter settable by GsonBuilder.
gson/src/main/java/com/google/gson/internal/bind/ObjectTypeAdapter.java
Outdated
Show resolved
Hide resolved
gson/src/main/java/com/google/gson/internal/bind/ObjectTypeAdapter.java
Outdated
Show resolved
Hide resolved
| * the next element is neither of those. | ||
| */ | ||
| private JsonElement tryBeginNesting(JsonReader in, JsonToken peeked) throws IOException { | ||
| if (peeked == JsonToken.BEGIN_ARRAY) { |
There was a problem hiding this comment.
Same comment about switch here, and about LinkedList below. Is it possible to reduce the amount of code duplication between this class and ObjectTypeAdapter?
There was a problem hiding this comment.
Is it possible to reduce the amount of code duplication between this class and
ObjectTypeAdapter?
The code indeed looks pretty similar. Maybe this can be done by having a separate internal abstract IterativeDeserializer or similar with subclasses for Object and JsonElement deserialization, but I am not sure if this wouldn't be more complex (and possibly more inefficient). Do you have a specific implementation in mind?
There was a problem hiding this comment.
I don't think it's necessary to do anything about this right away, unless there is some way that people could switch between the two to circumvent any depth (etc) limitations we are trying to introduce here.
Sounds reasonable, but maybe it shouldn't be depth then, but instead total count. Otherwise an adversary could circumvent the depth restriction by creating one JSON array and placing all the JSON objects inside it. So instead the total number of encountered JSON arrays and objects could be tracked for these deserializers per deserialization call. What do you think?
Maybe there is a related issue: When |
I see what you mean. Instead of causing |
|
Is this pull request fine like this or are there any other things you want to have changed? |
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.google.code.gson:gson-parent](https://togithub.com/google/gson) | `2.9.0` -> `2.10.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [com.google.code.gson:gson](https://togithub.com/google/gson) | `2.9.0` -> `2.10.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>google/gson</summary> ### [`v2.10`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-210) - Support for serializing and deserializing Java records, on Java ≥ 16. ([google/gson#2201) - Add `JsonArray.asList` and `JsonObject.asMap` view methods ([google/gson#2225) - Fix `TypeAdapterRuntimeTypeWrapper` not detecting reflective `TreeTypeAdapter` and `FutureTypeAdapter` ([google/gson#1787) - Improve `JsonReader.skipValue()` ([google/gson#2062) - Perform numeric conversion for primitive numeric type adapters ([google/gson#2158) - Add `Gson.fromJson(..., TypeToken)` overloads ([google/gson#1700) - Fix changes to `GsonBuilder` affecting existing `Gson` instances ([google/gson#1815) - Make `JsonElement` conversion methods more consistent and fix javadoc ([google/gson#2178) - Throw `UnsupportedOperationException` when `JsonWriter.jsonValue` is not supported ([google/gson#1651) - Disallow `JsonObject` `Entry.setValue(null)` ([google/gson#2167) - Fix `TypeAdapter.toJson` throwing AssertionError for custom IOException ([google/gson#2172) - Convert null to JsonNull for `JsonArray.set` ([google/gson#2170) - Fixed nullSafe usage. ([google/gson#1555) - Validate `TypeToken.getParameterized` arguments ([google/gson#2166) - Fix [#​1702](https://togithub.com/google/gson/issues/1702): Gson.toJson creates CharSequence which does not implement toString ([google/gson#1703) - Prefer existing adapter for concurrent `Gson.getAdapter` calls ([google/gson#2153) - Improve `ArrayTypeAdapter` for `Object[]` ([google/gson#1716) - Improve `AppendableWriter` performance ([google/gson#1706) ### [`v2.9.1`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-291) - Make `Object` and `JsonElement` deserialization iterative rather than recursi[google/gson#1912) - Added parsing support for enum that has overridden toString() method ([google/gson#1950) - Removed support for building Gson with Gradle ([google/gson#2081) - Removed obsolete `codegen` hierarchy ([google/gson#2099) - Add support for reflection access filter ([google/gson#1905) - Improve `TypeToken` creation validation ([google/gson#2072) - Add explicit support for `float` in `JsonWriter` ([google/gson#2130, [google/gson#2132) - Fail when parsing invalid local date ([google/gson#2134) Also many small improvements to javadoc. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/elide-dev/v3). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMDIuMCIsInVwZGF0ZWRJblZlciI6IjM0LjEwMi4wIn0=-->
](https://renovatebot.com){kind=link}
Often when
ObjectandJsonElementare deserialized the format of the JSON data is unknown and it might come from an untrusted source. To avoid aStackOverflowErrorfrom maliciously crafted JSON, deserializeObjectandJsonElementiteratively instead of recursively.Note that in most cases Gson already catches
StackOverflowErrorso users of current Gson versions would not encounter them.Concept based on FasterXML/jackson-databind@51fd2fa
But implementation is not based on it.