Skip to content

Story #13030 Checkmarx: Limit number of fields (100k) in JSON to prevent possible infinite loop #2021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

Story #13030 Checkmarx: Limit number of fields (100k) in JSON to prevent possible infinite loop #2021

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 30 additions & 5 deletions commons/commons-security/src/main/java/fr/gouv/vitamui/common/security/SanityChecker.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,11 @@ public class SanityChecker {

private static final String INVALID_CRITERIA = "Criteria failed when sanitizing, it may contains insecure data : ";
private static final String JSON_IS_NOT_VALID_FROM_SANITIZE_CHECK = "Json is not valid from Sanitize check";
private static final int DEFAULT_LIMIT_PARAMETER_SIZE = 5000;
private static final int DEFAULT_LIMIT_FIELD_SIZE = 10000000;
private static final int DEFAULT_LIMIT_JSON_SIZE = 16000000;
private static final long DEFAULT_LIMIT_FILE_SIZE = 8000000000L;
private static final int DEFAULT_LIMIT_PARAMETER_SIZE = 5_000;
private static final int DEFAULT_LIMIT_FIELD_SIZE = 10_000_000;
private static final int DEFAULT_LIMIT_JSON_SIZE = 16_000_000;
private static final long DEFAULT_LIMIT_FILE_SIZE = 8_000_000_000L;
private static final int DEFAULT_LIMIT_FIELD_NUMBER = 100_000;

public static final String HTTP_PARAMETER_VALUE = "HTTPParameterValue";

Expand All @@ -83,6 +84,10 @@ public class SanityChecker {
* max size of Json or Xml value field
*/
private static int limitFieldSize = DEFAULT_LIMIT_FIELD_SIZE;
/**
* max number of Json fields
*/
private static int limitFieldNumber = DEFAULT_LIMIT_FIELD_NUMBER;
/**
* max size of parameter value field (low)
*/
Expand Down Expand Up @@ -423,7 +428,8 @@ public static void checkJsonSanity(JsonNode json) throws InvalidParseOperationEx
}
} else {
final Iterator<Map.Entry<String, JsonNode>> fields = json.fields();
while (fields.hasNext()) {
int i = 0;
while (i++ < limitFieldNumber && fields.hasNext()) {
final Map.Entry<String, JsonNode> entry = fields.next();
final String key = entry.getKey();
if (isValidParameter(key)) {
Expand Down Expand Up @@ -451,6 +457,11 @@ public static void checkJsonSanity(JsonNode json) throws InvalidParseOperationEx
validateJSONField(value);
}
}
if (fields.hasNext()) {
throw new PreconditionFailedException(
String.format("Invalid JSON. Too many fields (>%s)", limitFieldNumber)
);
}
}
}

Expand Down Expand Up @@ -506,4 +517,18 @@ public static int getLimitParamSize() {
public static void setLimitParamSize(int limitParamSize) {
SanityChecker.limitParamSize = limitParamSize;
}

/**
* @return the limit number of fields of a Json
*/
public static int getLimitFieldNumber() {
return limitFieldNumber;
}

/**
* @param limitFieldNumber the limit number of fields of a Json
*/
public static void setLimitFieldNumber(int limitFieldNumber) {
SanityChecker.limitFieldNumber = limitFieldNumber;
}
}
11 changes: 11 additions & 0 deletions ...ns/commons-security/src/test/java/fr/gouv/vitamui/commons/security/SanityCheckerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,17 @@ public void givenJsonWhenValueIsTooBigORContainXMLTag()
assertThatCode(() -> SanityChecker.checkJsonSanity(json)).isInstanceOf(PreconditionFailedException.class);
}

@Test
public void givenJsonWhenFieldNumberIsTooBig() throws InvalidParseOperationException, PreconditionFailedException {
final int initialLimitFieldNumber = SanityChecker.getLimitFieldNumber();
final JsonNode json = JsonHandler.getFromString("{\"1\":1,\"2\":2,\"3\":3,\"4\":4,\"5\":5}");
SanityChecker.setLimitFieldNumber(5);
assertThatCode(() -> SanityChecker.checkJsonSanity(json)).doesNotThrowAnyException();
SanityChecker.setLimitFieldNumber(4);
assertThatCode(() -> SanityChecker.checkJsonSanity(json)).isInstanceOf(PreconditionFailedException.class);
SanityChecker.setLimitFieldNumber(initialLimitFieldNumber);
}

@Test
public void givenJsonWhenValueIsTooBigORContainXMLTagUsingAll() throws InvalidParseOperationException, IOException {
final File file = PropertiesUtils.findFile(TEST_BAD_JSON);
Expand Down