Disallow nested objects and arrays as keys in objects

Port of stleary/JSON-java#772 to partially remediate https://www.cve.org/CVERecord?id=CVE-2023-5072 , where nested keys can allow relatively small inputs to cause OOM errors through recursion. Test by: - package & import into alpha locally - confirm a suite of unit tests depending on JSONObjects passes - verify that the following CVE Proof-of-concept fails with an 'unexpected character' exception: https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5962464
yext · Mar 26, 2024 · bf3a2ff · bf3a2ff
1 parent 1810c2c
commit bf3a2ff
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/org/json/JSONObject.java b/org/json/JSONObject.java
@@ -187,8 +187,7 @@ public JSONObject(JSONTokener x) throws JSONException {
             case '}':
                 return;
             default:
-                x.back();
-                key = x.nextValue().toString();
+                key = x.nextSimpleValue(c).toString();
             }
 
             /*

diff --git a/org/json/JSONTokener.java b/org/json/JSONTokener.java
@@ -363,12 +363,8 @@ public String nextTo(String delimiters) throws JSONException {
      */
     public Object nextValue() throws JSONException {
         char c = nextClean();
-        String s;
 
         switch (c) {
-            case '"':
-            case '\'':
-                return nextString(c);
             case '{':
                 back();
                 return new JSONObject(this);
@@ -377,6 +373,17 @@ public Object nextValue() throws JSONException {
                 back();
                 return new JSONArray(this);
         }
+        return nextSimpleValue(c);
+    }
+
+    Object nextSimpleValue(char c) throws JSONException {
+        String s;
+
+        switch (c) {
+            case '"':
+            case '\'':
+                return this.nextString(c);
+        }
 
         /*
          * Handle unquoted text. This could be the values true, false, or