3

I am planning to use gson's fromJson() method to parse a string coming from the browser. Are there any potential vulnerabilities associated with doing that? The data type I am converting to is relatively simple, a List and a boolean. But since gson uses reflection, is there something for me to watch out for?

For example, with older jvm (pre 6.24), a DOS attack could have been used against integers, where the integer parser would hang.

Can some clever json cause gson to start loading classes it should be?

Elijah
  • 1,252
  • 3
  • 21
  • 32

3 Answers3

3

The thing to watch with Gson is what type of builder you are using (see custom deserializer / serializer)

Gson has another weakness, when you are deserializing, (let's say using a custom one) you better check for the type of object you are passing (use instanceof).

Other main point: Gson will automatically convert the variable based on the type being passed.

ie. { "var1":1 , "var2":"1"} The first one will be converted into an integer, the second based to a string, therefore I would watch out on your objects transformation.

7dr3am7
  • 755
  • 1
  • 8
  • 21
3

For security reasons, a Gson project developer has recommended to not allow deserialization code to load user-specified class definitions -- deserialization of generic-typed things should be carefully controlled.

Programmer Bruce
  • 64,977
  • 7
  • 99
  • 97
-2

It's not that hard to write a JSON parser, and any well-used open source version should be about as safe as one could hope for. Of course, the parser could contain a bug that makes it subject to buffer overrun and the like, but, again, the logic is simple enough that that shouldn't happen if the code is reasonably well written and well reviewed.

A bigger danger is that you yourself might not properly inspect the results of the parse and accept, say, a number that is out of range for your application, or a string that's too long.

Hot Licks
  • 47,103
  • 17
  • 93
  • 151
  • 8
    -1 reinventing the wheal is the worst offense a programmer can make. – rook Dec 06 '11 at 18:32
  • Well, I wasn't advocating reinventing anything (especially a [wheal](http://www.medterms.com/script/main/art.asp?articlekey=9539)) -- just saying that it's not difficult code, so there's no special reason to expect errors (other than the fact that programmers make errors). However, there are far worse programming offenses than "reinventing the wheel". – Hot Licks Dec 06 '11 at 19:29
  • @Rook -- I personally wrote a JSON parser (for Qt, where an open source option wasn't available). It took me a few hours one afternoon. 520 lines of code. But that wasn't my point. **My point was** that it's not complicated code (since someone you clearly consider to be an idiot could do it), and if reasonable care was taken in its creation then a security bug would be highly unlikely. So rather than worry about possible security holes in GSON, the OP should worry about other parts of his code. – Hot Licks Dec 07 '11 at 01:32
  • 3
    @HotLicks: "it's not complicated code [...] and if reasonable care was taken in its creation then a security bug would be highly unlikely". That sounds a lot like famous last words... – sleske Dec 08 '11 at 20:33
  • @sleske -- It's just being practical. You can have a bug ANYWHERE, but the simpler and smaller the program is, the less likely it is to have bugs. Plus an open-source program that's heavily used is much-much less likely to have bugs. Better to worry about ones own code. – Hot Licks Dec 08 '11 at 21:02
  • 2
    Parsing JSON isn't as easy as it seems: http://seriot.ch/parsing_json.php – BenjaminH Sep 26 '17 at 08:47