Merge pull request #233 from ccudennec-otto/fix-CVE-2024-57699

fix CVE-2024-57699 for predefined parsers

Author: UrielCh

README.md

@@ -19,6 +19,10 @@ So I do not use my json-smart anymore. I had fun with this project. If you want
 
 # Changelog
 
+## *V 2.5.2* (2025-02-07)
+
+* Fix CVE-2024-57699 for predefined parsers. [PR 233](https://github.com/netplex/json-smart-v2/pull/233)
+
 ### *V 2.5.1* (2024-03-14)
 
 * Bump all dependencies.
@@ -122,4 +126,4 @@ So I do not use my json-smart anymore. I had fun with this project. If you want
 
 ### *V 2.0-RC1* (2012-02-18)
   * speed improvement in POJO manipulation
-  * add JSONStyle.LT_COMPRESS predefined generate strct json, but ignoring / escapement.
+  * add JSONStyle.LT_COMPRESS predefined generate strct json, but ignoring / escapement.

json-smart/src/main/java/net/minidev/json/parser/JSONParser.java

@@ -115,21 +115,21 @@ public class JSONParser {
 	 * 
 	 * @since 1.0.6
 	 */
-	public final static int MODE_RFC4627 = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_SPACE;
+	public final static int MODE_RFC4627 = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_SPACE | LIMIT_JSON_DEPTH;
 	/**
 	 * Parse Object like json-simple
 	 * 
 	 * Best for an iso-bug json-simple API port.
 	 * 
 	 * @since 1.0.7
 	 */
-	public final static int MODE_JSON_SIMPLE = ACCEPT_USELESS_COMMA | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_DATA | ACCEPT_TAILLING_SPACE | REJECT_127_CHAR | BIG_DIGIT_UNRESTRICTED;
+	public final static int MODE_JSON_SIMPLE = ACCEPT_USELESS_COMMA | USE_HI_PRECISION_FLOAT | ACCEPT_TAILLING_DATA | ACCEPT_TAILLING_SPACE | REJECT_127_CHAR | BIG_DIGIT_UNRESTRICTED | LIMIT_JSON_DEPTH;
 	/**
 	 * Strictest parsing mode
 	 * 
 	 * @since 2.0.1
 	 */
-	public final static int MODE_STRICTEST = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | REJECT_127_CHAR;
+	public final static int MODE_STRICTEST = USE_INTEGER_STORAGE | USE_HI_PRECISION_FLOAT | REJECT_127_CHAR | LIMIT_JSON_DEPTH;
 	/**
 	 * Default json-smart processing mode
 	 */

json-smart/src/test/java/net/minidev/json/test/TestCVE202457699.java

@@ -0,0 +1,56 @@
+package net.minidev.json.test;
+
+import net.minidev.json.parser.JSONParser;
+import net.minidev.json.parser.ParseException;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class TestCVE202457699 {
+
+    private static final String MALICIOUS_STRING = createMaliciousString();
+
+    @Test
+    public void jsonSimpleParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_JSON_SIMPLE);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void strictestParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_STRICTEST);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void rfc4627ParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_RFC4627);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    @Test
+    public void permissiveParserShouldRestrictDepth() {
+        JSONParser p = new JSONParser(JSONParser.MODE_PERMISSIVE);
+        assertThrows(ParseException.class,
+                () -> p.parse(MALICIOUS_STRING),
+                "Malicious payload, having non natural depths");
+    }
+
+    private static String createMaliciousString() {
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < 10000 ; i++) {
+            sb.append("{\"a\":");
+        }
+        sb.append("1");
+        for (int i = 0; i < 10000 ; i++) {
+            sb.append("}");
+        }
+        return sb.toString();
+    }
+}