Skip to content

Commit 2c4a601

Browse files
rzo1cowtowncoder
rzo1
and
cowtowncoder
authored
[2.13.x] Add check in primitive value deserializers to avoid deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [CVE-2022-42003] (#3621)
* Fix #3590 (cherry picked from commit d78d00e) * Updates release notes for 2.13.4.1 Co-authored-by: Tatu Saloranta <[email protected]>
1 parent 7690a33 commit 2c4a601

File tree

3 files changed

+140
-12
lines changed

3 files changed

+140
-12
lines changed

release-notes/VERSION-2.x

+5
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,11 @@ Project: jackson-databind
44
=== Releases ===
55
------------------------------------------------------------------------
66

7+
2.13.4.1 (not yet released)
8+
9+
#3590: Add check in primitive value deserializers to avoid deep wrapper array
10+
nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` [CVE-2022-42003]
11+
712
2.13.4 (03-Sep-2022)
813

914
#3275: JDK 16 Illegal reflective access for `Throwable.setCause()` with

src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java

+40-12
Original file line numberDiff line numberDiff line change
@@ -357,12 +357,8 @@ protected T _deserializeWrappedValue(JsonParser p, DeserializationContext ctxt)
357357
// 23-Mar-2017, tatu: Let's specifically block recursive resolution to avoid
358358
// either supporting nested arrays, or to cause infinite looping.
359359
if (p.hasToken(JsonToken.START_ARRAY)) {
360-
String msg = String.format(
361-
"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
362-
ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
363-
"DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
364360
@SuppressWarnings("unchecked")
365-
T result = (T) ctxt.handleUnexpectedToken(getValueType(ctxt), p.currentToken(), p, msg);
361+
T result = (T) handleNestedArrayForSingle(p, ctxt);
366362
return result;
367363
}
368364
return (T) deserialize(p, ctxt);
@@ -413,7 +409,9 @@ protected final boolean _parseBooleanPrimitive(JsonParser p, DeserializationCont
413409
case JsonTokenId.ID_START_ARRAY:
414410
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
415411
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
416-
p.nextToken();
412+
if (p.nextToken() == JsonToken.START_ARRAY) {
413+
return (boolean) handleNestedArrayForSingle(p, ctxt);
414+
}
417415
final boolean parsed = _parseBooleanPrimitive(p, ctxt);
418416
_verifyEndArrayForSingle(p, ctxt);
419417
return parsed;
@@ -582,7 +580,9 @@ protected final byte _parseBytePrimitive(JsonParser p, DeserializationContext ct
582580
case JsonTokenId.ID_START_ARRAY: // unwrapping / from-empty-array coercion?
583581
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
584582
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
585-
p.nextToken();
583+
if (p.nextToken() == JsonToken.START_ARRAY) {
584+
return (byte) handleNestedArrayForSingle(p, ctxt);
585+
}
586586
final byte parsed = _parseBytePrimitive(p, ctxt);
587587
_verifyEndArrayForSingle(p, ctxt);
588588
return parsed;
@@ -652,7 +652,9 @@ protected final short _parseShortPrimitive(JsonParser p, DeserializationContext
652652
case JsonTokenId.ID_START_ARRAY:
653653
// 12-Jun-2020, tatu: For some reason calling `_deserializeFromArray()` won't work so:
654654
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
655-
p.nextToken();
655+
if (p.nextToken() == JsonToken.START_ARRAY) {
656+
return (short) handleNestedArrayForSingle(p, ctxt);
657+
}
656658
final short parsed = _parseShortPrimitive(p, ctxt);
657659
_verifyEndArrayForSingle(p, ctxt);
658660
return parsed;
@@ -719,7 +721,9 @@ protected final int _parseIntPrimitive(JsonParser p, DeserializationContext ctxt
719721
break;
720722
case JsonTokenId.ID_START_ARRAY:
721723
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
722-
p.nextToken();
724+
if (p.nextToken() == JsonToken.START_ARRAY) {
725+
return (int) handleNestedArrayForSingle(p, ctxt);
726+
}
723727
final int parsed = _parseIntPrimitive(p, ctxt);
724728
_verifyEndArrayForSingle(p, ctxt);
725729
return parsed;
@@ -870,7 +874,9 @@ protected final long _parseLongPrimitive(JsonParser p, DeserializationContext ct
870874
break;
871875
case JsonTokenId.ID_START_ARRAY:
872876
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
873-
p.nextToken();
877+
if (p.nextToken() == JsonToken.START_ARRAY) {
878+
return (long) handleNestedArrayForSingle(p, ctxt);
879+
}
874880
final long parsed = _parseLongPrimitive(p, ctxt);
875881
_verifyEndArrayForSingle(p, ctxt);
876882
return parsed;
@@ -995,7 +1001,9 @@ protected final float _parseFloatPrimitive(JsonParser p, DeserializationContext
9951001
break;
9961002
case JsonTokenId.ID_START_ARRAY:
9971003
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
998-
p.nextToken();
1004+
if (p.nextToken() == JsonToken.START_ARRAY) {
1005+
return (float) handleNestedArrayForSingle(p, ctxt);
1006+
}
9991007
final float parsed = _parseFloatPrimitive(p, ctxt);
10001008
_verifyEndArrayForSingle(p, ctxt);
10011009
return parsed;
@@ -1102,7 +1110,9 @@ protected final double _parseDoublePrimitive(JsonParser p, DeserializationContex
11021110
break;
11031111
case JsonTokenId.ID_START_ARRAY:
11041112
if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
1105-
p.nextToken();
1113+
if (p.nextToken() == JsonToken.START_ARRAY) {
1114+
return (double) handleNestedArrayForSingle(p, ctxt);
1115+
}
11061116
final double parsed = _parseDoublePrimitive(p, ctxt);
11071117
_verifyEndArrayForSingle(p, ctxt);
11081118
return parsed;
@@ -1259,6 +1269,9 @@ protected java.util.Date _parseDateFromArray(JsonParser p, DeserializationContex
12591269
default:
12601270
}
12611271
} else if (unwrap) {
1272+
if (t == JsonToken.START_ARRAY) {
1273+
return (java.util.Date) handleNestedArrayForSingle(p, ctxt);
1274+
}
12621275
final Date parsed = _parseDate(p, ctxt);
12631276
_verifyEndArrayForSingle(p, ctxt);
12641277
return parsed;
@@ -2039,6 +2052,21 @@ protected void handleMissingEndArrayForSingle(JsonParser p, DeserializationConte
20392052
// but for now just fall through
20402053
}
20412054

2055+
/**
2056+
* Helper method called when detecting a deep(er) nesting of Arrays when trying
2057+
* to unwrap value for {@code DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS}.
2058+
*
2059+
* @since 2.13.4.1
2060+
*/
2061+
protected Object handleNestedArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
2062+
{
2063+
String msg = String.format(
2064+
"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
2065+
ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
2066+
"DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
2067+
return ctxt.handleUnexpectedToken(getValueType(ctxt), p.currentToken(), p, msg);
2068+
}
2069+
20422070
protected void _verifyEndArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
20432071
{
20442072
JsonToken t = p.nextToken();

src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java

+95
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
package com.fasterxml.jackson.databind.deser.dos;
2+
3+
import java.util.Date;
4+
5+
import com.fasterxml.jackson.databind.*;
6+
import com.fasterxml.jackson.databind.exc.MismatchedInputException;
7+
8+
public class DeepArrayWrappingForDeser3590Test extends BaseMapTest
9+
{
10+
// 05-Sep-2022, tatu: Before fix, failed with 5000
11+
private final static int TOO_DEEP_NESTING = 9999;
12+
13+
private final ObjectMapper MAPPER = jsonMapperBuilder()
14+
.enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)
15+
.build();
16+
17+
private final static String TOO_DEEP_DOC = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "123");
18+
19+
public void testArrayWrappingForBoolean() throws Exception
20+
{
21+
_testArrayWrappingFor(Boolean.class);
22+
_testArrayWrappingFor(Boolean.TYPE);
23+
}
24+
25+
public void testArrayWrappingForByte() throws Exception
26+
{
27+
_testArrayWrappingFor(Byte.class);
28+
_testArrayWrappingFor(Byte.TYPE);
29+
}
30+
31+
public void testArrayWrappingForShort() throws Exception
32+
{
33+
_testArrayWrappingFor(Short.class);
34+
_testArrayWrappingFor(Short.TYPE);
35+
}
36+
37+
public void testArrayWrappingForInt() throws Exception
38+
{
39+
_testArrayWrappingFor(Integer.class);
40+
_testArrayWrappingFor(Integer.TYPE);
41+
}
42+
43+
public void testArrayWrappingForLong() throws Exception
44+
{
45+
_testArrayWrappingFor(Long.class);
46+
_testArrayWrappingFor(Long.TYPE);
47+
}
48+
49+
public void testArrayWrappingForFloat() throws Exception
50+
{
51+
_testArrayWrappingFor(Float.class);
52+
_testArrayWrappingFor(Float.TYPE);
53+
}
54+
55+
public void testArrayWrappingForDouble() throws Exception
56+
{
57+
_testArrayWrappingFor(Double.class);
58+
_testArrayWrappingFor(Double.TYPE);
59+
}
60+
61+
public void testArrayWrappingForDate() throws Exception
62+
{
63+
_testArrayWrappingFor(Date.class);
64+
}
65+
66+
private void _testArrayWrappingFor(Class<?> cls) throws Exception
67+
{
68+
try {
69+
MAPPER.readValue(TOO_DEEP_DOC, cls);
70+
fail("Should not pass");
71+
} catch (MismatchedInputException e) {
72+
verifyException(e, "Cannot deserialize");
73+
verifyException(e, "nested Arrays not allowed");
74+
}
75+
}
76+
77+
private static String _nestedDoc(int nesting, String open, String close, String content) {
78+
StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
79+
for (int i = 0; i < nesting; ++i) {
80+
sb.append(open);
81+
if ((i & 31) == 0) {
82+
sb.append("\n");
83+
}
84+
}
85+
sb.append("\n").append(content).append("\n");
86+
for (int i = 0; i < nesting; ++i) {
87+
sb.append(close);
88+
if ((i & 31) == 0) {
89+
sb.append("\n");
90+
}
91+
}
92+
return sb.toString();
93+
}
94+
95+
}

0 commit comments

Comments
 (0)