Comments (7)
I found this: https://stackoverflow.com/questions/69936667/how-do-i-get-details-of-a-veracode-vulnerability-report
I believe it isn't worthwhile to bother contacting Veracode for details, they are entirely publishing bogus security reports according to public opinion.
from jsonmapper.
This is not a Denial Of Service (DOS) attack vector. It's just a normal exception that can be caught by the application.
DOS would mean it would take the whole server down, which it does not.
from jsonmapper.
Ah, the trustworthyness of a website that hides the relevant info behind a paywall...
from jsonmapper.
Another counter argument: The check introduced in the commit mentioned would only prevent the DoS attack if the flag would be set to true, which defaults to false. So either a proper fix would have to set the flag to true in addition to this check, or remove making this optional entirely. Simply adding a check that is disabled by default does not count as a proper fix from my perspective
I'm happy to discuss details once there is even a theoretical code presented that leads to misbehaving in the library.
from jsonmapper.
Thanks for your responses. I totally understand the lack of actual information on the report is frustrating. Like the other reporter, I'm just reporting what we've found. And I also agree the fix appears to be a setting that may not be set anyway but the security scans are not the brightest. :/
You do have a PR out that looks like it resolves the bStrictObjectTypeChecking setting. if that was merged and a new patch released it may solve the SCA report?
from jsonmapper.
Unfortunately I believe that PR is not doing the right thing. And the claim in these reports about DoS potential is totally out of proportion in relation to this libraries abilities. It's true that you can pass NULL values into an array that claims to only allow certain objects, and there even is a test case for this, validating this happens. So one can hardly claim this is a bug - it is a feature, although an unexpected one.
I have yet to find out what the intention should be, and it will most likely be fixed in a major version release.
from jsonmapper.
The problems in PocketMine had were because of unexpected behaviour which arose due to JsonMapper attempting to hydrate objects using flat types. Since JsonMapper performs no checks on the __construct or its inputs during hydration, it can silently lead to unexpected behaviour, or other types of exceptions (aside from JsonMapper_Exception
) being thrown. This is not documented anywhere and I made bad assumptions when using JsonMapper around this.
Maintainers previously said they were ok with this behaviour, as JsonMapper isn't intended for data validation; IMHO this defeats half the point of using the library, but as long as you're aware of this, you won't have crash issues like PocketMine did. I made the assumption that JsonMapper would fully validate the data, but it does not.
The referenced commit disables object hydration for arrays. Since PM always uses bStrictObjectTypeChecking
in security-sensitive pathways, this was the easiest duct tape I could come up with that didn't break BC.
In addition, PM isn't a web application, everything is handled within a single process, so issues that would just crash one web request will take down a whole PM server due to the architecture, hence the higher vulnerability rating in PocketMine-MP. A tool can be used several ways :)
from jsonmapper.
Related Issues (20)
- Mapping variables that contain dashes HOT 2
- Support for PHP8.1 Enum HOT 1
- Warning: Undefined variable $typeName HOT 4
- PHP8.1 Enum Support HOT 4
- Unsound implicit conversions between primitive types HOT 3
- regular arrays in dev-master are broken HOT 3
- When will Backed Enums be available in a release? HOT 1
- Enable parent JSON data with classMap HOT 1
- Exception on different level nested objects HOT 2
- Respect use import statements & change array annotations HOT 1
- Indirect modification of overloaded property ... has no effect HOT 8
- Feature request: Arguments for postMappingMethod
- Automatic unit test execution HOT 2
- Add support for PHP 8.0 constructor property promotion - Has Issue HOT 6
- Constructor arguments are not validated when constructing object types from flat types HOT 6
- The package accepts NULL values in arrays whose types do not expect NULL HOT 4
- What's the intended NULL value handling? HOT 3
- phpstorm prompts 2 vulnerabilities HOT 2
- Document that JsonMapper is not designed for input validation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jsonmapper.