-
-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NullPointerException
in IonParser.nextToken()
#303
Comments
Thank you for reporting this issue: sounds like sub-optimal handling. I am not sure I see DoS aspect itself as exceptions are the mechanism to use for many kinds of invalid data, but in this case handling should produce package-specified exception, not accidental NPE. |
NullPointerException
in IonParser.nextToken()
I added a failing unit test for this one, but I do think actual fix needs to go in @mcliedtke @jobarr-amzn do you know what'd be a good way to report this to streaming Ion codec? |
I'm taking a look- will open an issue in |
Hi @jobarr-amzn! I assume you haven't had a chance to look into this but thought I'd ping just in case. |
Description
This vulnerability is of Uncaught Exception for java.lang.NullPointerException in
com.fasterxml.jackson.dataformat, jackson-dataformat-ion
(2.13.0, the latest version) withcom.amazon.ion, ion-java
(1.8.3, the latest version). Specifically, it fails to check the runtime exceptionjava.lang.NullPointerException
in functioncom.fasterxml.jackson.dataformat.ion.IonParser.nextToken()
( IonParser.java: 506 ).The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).
The vulnerable code:
The crash stack:
com.amazon.ion.impl.LocalSymbolTable.readOneImport::LocalSymbolTable.java:681 com.amazon.ion.impl.LocalSymbolTable.prepImportsList::LocalSymbolTable.java:646 com.amazon.ion.impl.LocalSymbolTable.readLocalSymbolTable::LocalSymbolTable.java:304 com.amazon.ion.impl.LocalSymbolTable$Factory.newLocalSymtab::LocalSymbolTable.java:68 com.amazon.ion.impl.IonReaderBinaryUserX.has_next_helper_user::IonReaderBinaryUserX.java:252 com.amazon.ion.impl.IonReaderBinaryUserX.hasNext::IonReaderBinaryUserX.java:222 com.amazon.ion.impl.IonReaderBinaryUserX.next::IonReaderBinaryUserX.java:208 com.fasterxml.jackson.dataformat.ion.IonParser.nextToken::IonParser.java:506 com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose::ObjectMapper.java:4649 com.fasterxml.jackson.databind.ObjectMapper.readTree::ObjectMapper.java:3074 com.test.Entry.main::Entry.java:51
Proof of Concept
cd bug_reproduce_program_jackson_ion bash build.sh
Fix suggestion
Wrap this kind of exception as a type of exception the library provided, e.g. IonException. Maybe the fix should not only in jackson but also in its dependent ion-java package.
Impact
The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).
The text was updated successfully, but these errors were encountered: