packages/jackson-databind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
jackson-databind/CVE-2022-42004.patch
starlet-dx 42795e37e0 Fix CVE-2020-36518,CVE-2022-42003 and CVE-2022-42004 
(cherry picked from commit b7eead59adebf0ae27240f330fec6206b26e672b)
2023-12-13 16:18:21 +08:00

79 lines
3.5 KiB
Diff
Raw Permalink Blame History

From: Markus Koschany <apo@debian.org>
Date: Mon, 14 Nov 2022 22:40:58 +0100
Subject: CVE-2022-42004
Origin: https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
---
.../databind/deser/BeanDeserializerBase.java | 6 +--
.../dos/DeepArrayWrappingForDeser3582Test.java | 44 ++++++++++++++++++++++
2 files changed, 47 insertions(+), 3 deletions(-)
create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
index 6ce41f7..639d8c9 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
@@ -1440,9 +1440,9 @@ public abstract class BeanDeserializerBase
return bean;
}
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
- JsonToken t = p.nextToken();
- if (t == JsonToken.END_ARRAY && ctxt.isEnabled(DeserializationFeature.ACCEPT_EMPTY_ARRAY_AS_NULL_OBJECT)) {
- return null;
+ if (p.nextToken() == JsonToken.START_ARRAY) {
+ return ctxt.handleUnexpectedToken(handledType(), JsonToken.START_ARRAY, p,
+"Cannot deserialize value of type %s from deeply-nested JSON Array: only single wrapper allowed with DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
}
final Object value = deserialize(p, ctxt);
if (p.nextToken() != JsonToken.END_ARRAY) {
diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
new file mode 100644
index 0000000..2147cf1
--- /dev/null
+++ b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
@@ -0,0 +1,44 @@
+package com.fasterxml.jackson.databind.deser.dos;
+
+import java.io.IOException;
+import com.fasterxml.jackson.databind.*;
+
+public class DeepArrayWrappingForDeser3582Test extends BaseMapTest
+{
+ // 23-Aug-2022, tatu: Before fix, failed with 5000
+ private final static int TOO_DEEP_NESTING = 9999;
+
+ public void testArrayWrapping() throws Exception
+ {
+ final String doc = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "{}");
+ final ObjectMapper MAPPER = new ObjectMapper();
+ MAPPER.enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS);
+ try {
+ MAPPER.readValue(doc, Point.class);
+ fail("Should not pass");
+ } catch (IOException e) {
+ verifyException(e, "Cannot deserialize");
+ verifyException(e, "nested JSON Array");
+ verifyException(e, "only single");
+ }
+ }
+
+ private String _nestedDoc(int nesting, String open, String close, String content) {
+ StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
+ for (int i = 0; i < nesting; ++i) {
+ sb.append(open);
+ if ((i & 31) == 0) {
+ sb.append("\n");
+ }
+ }
+ sb.append("\n").append(content).append("\n");
+ for (int i = 0; i < nesting; ++i) {
+ sb.append(close);
+ if ((i & 31) == 0) {
+ sb.append("\n");
+ }
+ }
+ return sb.toString();
+ }
+
+}
Reference in New Issue View Git Blame Copy Permalink