Add numeric value size limits via StreamReadConstraints (fixes sonatype-2022-6438) -- default 1000 chars
#827
Conversation
| * @param maxNumLen max number of characters that are allowed | ||
| * @since 2.14 | ||
| */ | ||
| public void setMaxNumLen(int maxNumLen) { |
There was a problem hiding this comment.
Quick comment: I would want to avoid setters (and probably getters too) since 3.0 has parser and generators fully immutable. Also settings should probably be passed in a separate config object to reduce number of methods/parameters being passed: something like StreamReadConfig / StreamWriteConfig (maybe), sub-classable on per-format basis. Configured using builder()-style approach; starting with default settings.
There was a problem hiding this comment.
It seems like wiring the config together is the most complicated bit of implementing this. Should probably start with master and later backport to 2.x.
With master, if I were to add a StreamReadConfig - is it ok to pass that via the IOContext? This seems like the easiest way to get the StreamReadConfig to the TextBuffer and JsonParser instances (where the num len checking would happen). So the TSFFactoryBuilder could have a method for setting the StreamReadConfig and when the TokenStreamFactory creates the IOContext, it could set the StreamReadConfig on it.
There was a problem hiding this comment.
Hmmh. Ok, first things first: I would suggest going via 2.15, not master, due to package renaming. It'll probably be tricky either way, but I don't think master->2.15 is any easier than the other way around.
But be that as it may, bigger question is that of passing config objects. My first gut reaction is that making these go through IOContext is not clean. But the thing about TextBuffer might be relevant -- passing to JsonParser / JsonGenerator I wouldn't worry as much about (factories have been changed a few times and while unfortunate it's internal interface).
I wouldn't be totally against passing it via IOContext but would prefer alternative.
One thing I do not remember, which may be relevant, is whether format backends sub-class IOContext or not; I have a vague recollection might do, for recycling or such.
EDIT: yes, Csv format module has
public class CsvIOContext extends IOContext { }
but has pretty minimal functionality; basically just wires in secondary TextBuffer with recycler. So that wouldn't be a problem.
There was a problem hiding this comment.
I've introduced a StreamReadConfig - and it can only be set via the TSFBuilder.
Internally, I still haven't found a better way to pass around the StreamReadConfig than using the IOContext.
There was a problem hiding this comment.
Apologies for not thinking this through. As per my CR comments, I think it should be StreamReadLimits (or perhaps StreamReadConstraints).
But one thing that is also needed is to make sure values are fully immutable so they can be shared by parser instances etc. Changes could be done using wihtMaxNumberLength() or such, but that may become unmaintainable when adding values. So perhaps it is necessary to start with builder style construction immediately.
However.... I guess I am ok without doing that right away so we could merge things in sooner.
So it is ok not to add builder as the first thing.
Otherwise I like this; passing limits to/via IOContext makes sense, I think.
pjfanning
force-pushed
the
num-size-limit
branch
from
b5e478f to
0ffc8cf
Compare
|
@cowtowncoder would you be able to re-review this when you get a chance? |
|
Yes @pjfanning I will try to get back to this as soon as possible. |
|
|
||
| private static final int DEFAULT_MAX_NUM_LEN = 1000; | ||
|
|
||
| private int _maxNumLen = DEFAULT_MAX_NUM_LEN; |
There was a problem hiding this comment.
Need to also consider the fact that as-is this would be specific to textual formats. Binary formats would either:
- Interpret this as byte limit instead of char (which is probably fine), or
- use different setting
Either way would need to be documented once we figure out way to go.
Also worth mentioning in Javadocs that application of limits is up to format backend implementation (but that can be added later on).
There was a problem hiding this comment.
currently all the existing code takes Strings and parses Strings - everything has been converted to text before this check is applied
There was a problem hiding this comment.
I understand this is the case for default handling, and in 2.x. Just noting that these checks would not be applied by, say, CBOR or Smile parsers as they use binary encoding of numbers and do not convert to Strings in most cases.
But I think it'd make sense to consider length in "units of input", which can then be chars or bytes as appropriate.
pjfanning
force-pushed
the
num-size-limit
branch
from
48dce66 to
93c6ffd
Compare
|
@cowtowncoder I think I've addressed most of your issues with some recent commits. I've updated the PR description with how the code is called. The class is now StreamReadConstraints and has a builder(). |
|
Ok couple of follow-up question on limits:
|
|
Ok. Besides, I hope we get some feedback during 2.15 RC phase (I'm incurable optimist). |
Upgrade Vert.x from 4.3.8 to the Poppy version 4.4.6. Upgrade log4j from 2.17.* to 2.20.0 to use a version that is compatible with Vert.x. Upgrading Vert.x indirectly upgrades jackson-core from 2.14.0 to 2.15.0 fixing Number Parse DoS (RISMA-2023-0067): FasterXML/jackson-core#827 Upgrading Vert.x indirectly upgrades Netty from 4.1.87.Final to 4.1.100.Final fixing HTTP/2 DoS: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
|
Hi! Shouldn't be a CVE created for this? |
|
@cristinaconstantinc There is no real upside from project perspective, but if someone wants to create a reproduction of a problem for older version(s) and file CVE they can go ahead. And if so we would include information about version fixed in and so on. This based on there not being (to my knowledge) actual published attack against this, work was done pro-actively based on concerns. |
https://folio-org.atlassian.net/browse/MODINVOSTO-181 jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS): FasterXML/jackson-core#827 mod-invoice-storage pins the jackson version to 2.13.4. This effectively downgrades the jackson version provided by RMB (domain-models-runtime, domain-models-api-interfaces) from 2.16.1 to 2.13.4. Fix: Unpin jackson.
jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS): FasterXML/jackson-core#827 mod-audit pins the jackson version to 2.14.1. This effectively downgrades the jackson version provided by RMB (domain-models-runtime, domain-models-api-interfaces) from 2.16.1 to 2.14.1. Fix: Unpin jackson.
https://folio-org.atlassian.net/browse/MODINVOICE-545 jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS): FasterXML/jackson-core#827 mod-invoice pins the jackson version to 2.13.4. This effectively downgrades the jackson version provided by RMB (domain-models-runtime, domain-models-api-interfaces) from 2.16.1 to 2.13.4. Fix: Unpin jackson.
To create a JSONFactory that allows larger numbers, you can use this code
EDIT: fixes sonatype-2022-6438