johnzon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Otavio Goncalves de Santana (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JOHNZON-190) Issues when call close method more than twice using Queue as buffer strategy.
Date Tue, 02 Oct 2018 17:11:00 GMT

    [ https://issues.apache.org/jira/browse/JOHNZON-190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16635832#comment-16635832
] 

Otavio Goncalves de Santana commented on JOHNZON-190:
-----------------------------------------------------

Hey [~romain.manni-bucau] could you move it to the branch: maintenance_1.0.x also, please?
https://github.com/apache/johnzon/pull/28

> Issues when call close method more than twice using Queue as buffer strategy.
> -----------------------------------------------------------------------------
>
>                 Key: JOHNZON-190
>                 URL: https://issues.apache.org/jira/browse/JOHNZON-190
>             Project: Johnzon
>          Issue Type: Bug
>          Components: JSON-B
>    Affects Versions: 1.1.10
>            Reporter: Otavio Goncalves de Santana
>            Assignee: Romain Manni-Bucau
>            Priority: Major
>             Fix For: 1.1.11
>
>
> Title: Issues when calling the close method more than twice using Queue as a buffer strategy.
>  
> Hello everyone.
>  
> I would like to report a bug within JsonGeneratorImpl. In the JsonGeneratorImpl has the
BufferStrategy.BufferProvider<char[]> as an attribute.
> This BufferStrategy.BufferProvider either [put the buffer in the Queue|https://github.com/apache/johnzon/blob/d7a4a2f9de8c39b84fbb8b73b13c6f7f6514a9cf/johnzon-core/src/main/java/org/apache/johnzon/core/JsonGeneratorImpl.java#L466],
whose uses the release *method*, and [feed|https://github.com/apache/johnzon/blob/d7a4a2f9de8c39b84fbb8b73b13c6f7f6514a9cf/johnzon-core/src/main/java/org/apache/johnzon/core/JsonGeneratorImpl.java#L72]
the buffer using the *newBuffer* method.
>  
> As consequences of this behavior there are two failures:
>  
>  # Waste of memory issue
>  
> The code below, it will put the same value in the queue six times.
> {code:java}
> public class App {
>    public static void main(String[] args) throws IOException {
>        Path path = Paths.get("generated.json");
>        OutputStream out = Files.newOutputStream(path);
>        JsonGenerator jsonGen = Json.createGenerator(out);
>        jsonGen.writeStartObject();
>        jsonGen.write("false", JsonValue.FALSE);
>        jsonGen.write("true", JsonValue.TRUE);
>        jsonGen.writeEnd();
>        jsonGen.close();
>        jsonGen.close();
>        jsonGen.close();
>        jsonGen.close();
>        jsonGen.close();
>        jsonGen.close();
>    }
> }
> {code}
> Doing a malicious code such as below, it will use a huge number of memory.
> {code:java}
> public class App1 {
>    public static void main(String[] args) throws IOException {
>        Path path = Paths.get("generated.json");
>        OutputStream out = Files.newOutputStream(path);
>        JsonGenerator jsonGen = Json.createGenerator(out);
>        jsonGen.writeStartObject();
>        jsonGen.write("false", JsonValue.FALSE);
>        jsonGen.write("true", JsonValue.TRUE);
>        jsonGen.writeEnd();
>        while (true) {
>            jsonGen.close();
>        }
>    }
> }
> {code}
>  # The security issue
> It uses the value in the queue as a buffer; thereby, it is a security failure once a
request can read information from another application, thus, an isolation issue.
> {code:java}
> public class App2 {
>    public static void main(String[] args) throws Exception {
>        Path path = Paths.get("generated2.json");
>        OutputStream out = Files.newOutputStream(path);
>        JsonGenerator jsonGen = Json.createGenerator(out);
>        jsonGen.writeStartObject();
>        jsonGen.write("keyA", JsonValue.FALSE);
>        jsonGen.write("keyB", JsonValue.TRUE);
>        jsonGen.writeEnd();
>        jsonGen.close();
>        Path path3 = Paths.get("generated3.json");
>        OutputStream out2 = Files.newOutputStream(path3);
>        JsonGenerator jsonGen2 = Json.createGenerator(out2);
>        jsonGen2.writeStartObject();
>        Field fieldBuffer = jsonGen2.getClass().getDeclaredField("buffer");
>        fieldBuffer.setAccessible(true);
>        char[] buffer = (char[]) fieldBuffer.get(jsonGen);
>        String json = String.valueOf(buffer);
>        System.out.println(json);
>        jsonGen2.flush();
>    }
> }
> {code}
> # Race condition issue:
> As the code below shows, given a mistake of twice close, To class can write using the
same buffer, thereby, a write JSON mistake.
> {code:java}
> public class App3 {
>    public static void main(String[] args) throws IOException {
>        Path path = Paths.get("generated.json");
>        OutputStream out = Files.newOutputStream(path);
>        JsonGenerator jsonGen = Json.createGenerator(out);
>        jsonGen.writeStartObject();
>        jsonGen.write("false", JsonValue.FALSE);
>        jsonGen.write("true", JsonValue.TRUE);
>        jsonGen.writeEnd();
>        jsonGen.close();
>        jsonGen.close();
>        Path path2 = Paths.get("generated2.json");
>        OutputStream out2 = Files.newOutputStream(path2);
>        JsonGenerator jsonGen2 = Json.createGenerator(out2);
>        Path path3 = Paths.get("generated3.json");
>        OutputStream out3 = Files.newOutputStream(path3);
>        JsonGenerator jsonGen3 = Json.createGenerator(out3);
>        jsonGen2.writeStartObject();
>        jsonGen2.write("false1", JsonValue.FALSE);
>        jsonGen2.write("true2", JsonValue.TRUE);
>        jsonGen2.writeEnd();
>        jsonGen3.writeStartObject();
>        jsonGen3.write("false3", JsonValue.FALSE);
>        jsonGen3.write("true4", JsonValue.TRUE);
>        jsonGen3.writeEnd();
>        jsonGen2.close();
>        jsonGen3.close();
>    }
> }
> {code}
> Output 
> {code:json}
> Generated.json: {"false":false,"true":true}
> Generated2.json: {"false3":false,"true4":true}
> Generated3.json: {"false3":false,"true4":true}
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message