Comments (4)
The proposed fix only fixes one specific application that enables a setting. Not checking for null values or not validating that the JSON sent conforms to a specific schema is the task of the software itself.
Please show code that actually "crashes the server due to malformed JWT JSON in LoginPacket" for this library.
This is the second time today that an arbitrary Security Scanner report has been handed in without offering detailed information beyond "it is seriously bad". Without additional explaination and possibly demonstration of the problem, I might come to the conclusion this is someone being on a mission to attract attention, or distract from a topic not obvious.
from jsonmapper.
Duplicate of #230.
from jsonmapper.
@SvenRtbg I hear you. Unfortunately, this is all the context I was given in the Checkmarx SCA scan report.
The company I work for requires that all of our projects are scanned for security vulnerabilities before each deployment. So our continuous delivery pipelines fail even if one of our dependencies has a dependency that has a dependency with a known security vulnerability. And that's what happened here.
So my only option is to either report the vulnerability and try to get it patched, or remove the dependency. That's why I reported it.
I thought the maintainers would want to be aware that their library is showing in security scanners as having a vulnerability. 🤷
from jsonmapper.
@paulshryock Thanks for your response.
I am investigating this issue, and my current conclusion is that the other project mentioned in this report in fact has a serious problem when encountering JWT that have been tampered with. That may even shut the server down. To mitigate their anticipated shortcomings of this JsonMapper library, they forked and patched their version. And now for unknown reasons these security scanner results pop up claiming that THIS library here has a DoS vulnerability of high severity.
I am looking at the test suite, and I have to admit there is a bit of ambiguity present in the array test case (and to @cweiske: I'll consolidate and discuss my findings/proposed code changes, but that will need some more time), so it definitely allows to have null values in an array that it's PHPDoc claims to be of a defined other type only. But by itself, this isn't any severe vulnerability inside this library, it is much more likely a vulnerability outside due to not properly validating a JWT before using it.
from jsonmapper.
Related Issues (20)
- Support for PHP8 annotations HOT 1
- Deprecation notice on PHP 8.1 HOT 1
- Mapping variables that contain dashes HOT 2
- Support for PHP8.1 Enum HOT 1
- Warning: Undefined variable $typeName HOT 4
- PHP8.1 Enum Support HOT 4
- Unsound implicit conversions between primitive types HOT 3
- regular arrays in dev-master are broken HOT 3
- When will Backed Enums be available in a release? HOT 1
- Enable parent JSON data with classMap HOT 1
- Exception on different level nested objects HOT 2
- Respect use import statements & change array annotations HOT 1
- Indirect modification of overloaded property ... has no effect HOT 8
- Feature request: Arguments for postMappingMethod
- Automatic unit test execution HOT 2
- Add support for PHP 8.0 constructor property promotion - Has Issue HOT 6
- Constructor arguments are not validated when constructing object types from flat types HOT 6
- Denial Of Service (DOS) Vulnerability found in library HOT 7
- What's the intended NULL value handling? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jsonmapper.